Linux

How to Encrypt Your Home In Open Suse Tumbleweed

How to Encrypt Your Home In Open Suse Tumbleweed

Encrypting your home directory is a great way to protect your information. Unfortunately, Tumbleweed does not provide a straight forward way to encrypt your home directory (like Ubuntu). But it is not too hard if your willing to dig into the command line. I have tried this in early October in Open Suse Tumbleweed, but I can not guarantee that this will work. ecryptfs by default backs up your data, which should prevent data loss, but it goes without saying always have your 3-2-1 backups (preferably with frequent snapshots) so even if this goes horribly wrong, your data is safe.

while logged in as your user run

sudo zypper install ecryptfs-utils cryptsetup
sudo modprobe ecryptfs

now restart, DO NOT LOGIN AS YOUR USER, login as root open terminal and run (replace $username with your username):

ecryptfs-migrate-home -u $username
su $username
cd ~
ecryptfs-mount-private
cd ~
ecryptfs-unwrap-passphrase #write this down
ecryptfs-umount-private
exit

now if you have a swap run

ecryptfs-setup-swap

Setting up auto login requires modifying your pam config. You need to determine which display manager your using if you installed the KDE desktop. Your likely using SDDM. Regardless of what display manager your using the configuration will be in some file inside of "/etc/pam.d/". In the case of SDDM it is in "/etc/pam.d/sddm"

after "auth include common-auth"
insert "auth required pam_ecryptfs.so unwrap"

after "password include common-password"
insert "password optional pam_ecryptfs.so"

after "session include common-session"
insert "session optional pam_ecryptfs.so unwrap"

after those edits my config looked like this. I have highlighted the added lines in red (your config might be different):

#%PAM-1.0
auth include common-auth
auth required pam_ecryptfs.so unwrap
account include common-account
password include common-password
password optional pam_ecryptfs.so
session required pam_loginuid.so
session include common-session
session optional pam_ecryptfs.so unwrap
session optional pam_keyinit.so revoke force

Now restart, and log in as your user. Verify that everything has worked correctly. if it did not a backup of your data was created in "/home/$username.$randomLetters" where $randomLetters is three random letters. if you wish to recover from a failed setup, you can simply restart login as root remove "/home/$username" and rename the backup to "/home/$username".

Once you have verified that your setup is working by using it for some time, you can delete the backup directory at "/home/$username.$randomLetters"

If you are looking for secure and encrypted cloud storage, I really like keybase. It uses public-key crypto to protect your data and you get 250 GB free..

some resources / credits:
https://wiki.archlinux.org/index.php/ECryptfs#Encrypting_a_home_directory
https://www.techrepublic.com/article/2-ways-to-better-secure-your-linux-home-directory/