eCryptfs is a POSIX-compliant enterprise-class stacked (on top of other filesystem) cryptographic filesystem for Linux.



Initial configuration

Install ecryptfs-utils-85-4 and pam-pam_ecryptfs-85-4 or newer.

Add all users that should be able to encrypt their data to ecryptfs group.

Setup PAM

Three new lines. Note need to be places after!

[root@host ~]# cat /etc/pam.d/system-auth
auth            required item=user sense=deny file=/etc/security/blacklist onerr=succeed
auth            required
auth            required deny=0 file=/var/log/faillog onerr=succeed
auth            required try_first_pass

# ECRYPTFS SUPPORT - has to be AFTER pam_unix
auth            optional unwrap

account         required file=/var/log/faillog onerr=succeed
account         required
account         required

# password      [success=1 ignore=reset abort=die default=bad] upper=1 digit=1
password        required try_first_pass difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        required try_first_pass sha512 shadow use_authtok

# ECRYPTFS SUPPORT - has to be AFTER pam_unix
password        required

password        required failok seteuid /usr/bin/make -C /var/db
# password      required failok seteuid /usr/bin/make -C /var/yp

session         optional revoke debug
session         required change_uid
session         [success=1 default=ignore] service in crond quiet use_uid
session         required

# ECRYPTFS SUPPORT - has to be AFTER pam_unix
session         optional unwrap

Account migration

End all USER session, logout from machine and run from root:

ecryptfs-migrate-home -u USER

Follow instruction on the screen.

