[Discuss] Encrypt /home and allow unattended boot?

[dsr at randomstring.org (Dan Ritter)]

Daniel Barrett wrote: 
> 
> I'm thinking about encrypting the /home partition on an Ubuntu box.
> Is there a way to do it so I'm prompted for the decryption passphrase
> when I log in or SSH in, not at boot time? I don't want to enter the
> passphrase during the boot process because I want to permit unattended
> reboots.
> 

You can do a directory (per-user encryption) or a filesystem
(/home, which is what you asked for) or a full disk. Full disk
requires boot-time passphrase entry; the others do not.

The kernel built-in crypto system is handled by either
cryptsetup or cryptmount. Cryptsetup is generally used for
full-disk or similar "don't boot without passphrase" systems;
cryptmount is what you are looking for.

You can also use encfs, which is an overlay filesystem. It
provides less metadata security -- any user can see the number
of files, what perms they have, a lower bound on their size, and
atime/mtime stats. On the other hand, it's a lot easier to
experiment with.

Avoid ecryptfs, which was widely supported earlier but now
has no maintainer in Ubuntu or Debian:

https://help.ubuntu.com/community/EncryptedPrivateDirectory
uses ecryptfs.

http://manpages.ubuntu.com/manpages/disco/man8/cryptmount.8.html
is the helpful manpage for cryptmount.

-dsr-