There are of course various ways to set up an encrypted home directory. Here's mine.
I use
encfs, which is a
FUSE filesystem. This might be better as a step by step HOWTO.
1. Make sure you have a big enough partition where the actual encrypted data would be stored. Make an entry in /etc/fstab mounting it at /real_home.
2. Make user directories in /real_home/. The only one I have is mine, /real_home/gera/
3. On the / filesystem, make a stub directory /home/gera - this will be the mountpoint for the encrypted filesystem.
4. Set up encfs - something like
$ encfs /real_home/gera /home/gera
You can choose the preconfigured paranoia mode.
5. install
pam_encfs. The standard config will do, with very few changes. Here's mine :
gera@gera-laptop:~$ cat /etc/security/pam_encfs.conf | egrep -v '^(#|$)'
drop_permissions
encfs_default --idle=1
fuse_default nonempty
gera /real_home/gera /home/gera -v,--idle=1 allow_other,nonempty
Note the "allow_other" option. X will give you trouble if you don't do that.
6. Modify the common-auth and common-session files in /etc/pam.d - here are mine :
gera@gera-laptop:~$ cat /etc/pam.d/common-auth | egrep -v '^(#|$)'
auth sufficient pam_encfs.so
auth required pam_unix.so nullok_secure use_first_pass
gera@gera-laptop:~$ cat /etc/pam.d/common-session | egrep -v '^(#|$)'
session required pam_encfs.so
session required pam_unix.so
session optional pam_foreground.so
7. Now you're set. You can log in from a console and the encrypted partition will be mounted at $HOME. Go ahead, try it. I said console. GDM doesn't work yet. For that, there are a couple of more tweaks.
8. Edit /etc/security/pam_env.conf to set up your ICEAUTHORITY environment variable. When you're logging in, your $HOME doesn't have the .ICEAuthority file, and GDM/Gnome fail. We'll tell them to look for it in an alternate location. Here's my /etc/security/pam_env.conf :
gera@gera-laptop:~$ cat /etc/security/pam_env.conf | egrep -v '^(#|$)'
LOGNAME DEFAULT="gera" OVERRIDE=${LOGNAME}
ICEAUTHORITY DEFAULT=/real_home/${LOGNAME}/.ICEauthority
9. Try it out. If something doesn't work, please let me know. I might have forgotten something. Oh, and remember to set a root password on ditros like Ubuntu which encourage only the sudo way. I'd also recommend keeping a root session open in a console (or two) during this whole setup, in case anything goes wrong.
It should be clear that these are guidelines only. I am an idiot, and shouldn't be held responsible if you lose your data, your hardware, your privacy, or your job. Proceed at your own risk. :)