We use cookies to ensure that we give you the best experience on our website. You can change your cookie settings at any time. Otherwise, we'll assume you're OK to continue.

Durham University

Computing and Information Services

Encrypting Linux Laptops


Though Computing & Information Services do not currently provide a laptop version of our Linux Managed Desktop Service, we recommend that you encrypt the data on your device, and the instructions below outline our guide for encrypting your home directory on a Linux Laptop.

Encryption is additional measure to enhance the security of your data. It codes (scrambles) your information so that it can only be read by someone who is authorised and has the 'key' or code to unlock it. It is an essential security tool to protect personal data (yours and other people's) and business data and, if you are a laptop user, we strongly recommend that you take this measure to secure your device.

The process outlined below will encrypt the files in your home directory, files stored elsewhere will not be secured unless you have additional measures in place. Filenames are also not encrypted, and so we strongy recommend that you avoid putting sensitive personal data within these names.

Supported Distribution

The instructions are for Debian, which is the distribution used as part of the Managed Linux Desktop Service. They should work for more recent Debian installations as well, though we cannot guarantee this.

New Installations

If you are installing a new copy of Debian on your laptop, you will be asked during installation whether you wish to encrypt your home directory or not.

Simply say yes, and let the installation complete.

Encrypting an existing Home Directory

  • Take a full backup of your laptop, and verify you can read the backup!
  • Install the encryption tools sudo apt install ecryptfs-utils
  • Set a root password sudo passwd root
  • Reboot the machine, and log in on the console as root. Do not log in as your ordinary user
  • ecryptfs-migrate-home -u <USERNAME>
  • Providing you get no error messages from the migration utility, log in as the user in question. It is vital that you log in as the user in question before powering off or rebooting your machine as the encryption key is temporarily stored in memory, waiting to be encrypted with the user's password on next login.
  • Reboot the system and verify you can log in as the user, and that your files are there.
  • Check your home directory is encrypted by typing df . from your home directory. This should show something like ecryptfs on .Private or similar
  • Once you have double-checked that your home directory has succesfully migrated, delete the old unencrypted copy which is found in /home

Keeping a backup of the encryption key

Once the installation has completed, type ecryptfs-unwrap-passphrase in a terminal, and print out the resulting encryption key. Keep this key in a safe place away from your laptop. Note that if you do not keep a copy of this key and forget your password, there is nothing that can be done to recover your data.

To help ensure that your data is safe and always accessible, CIS are happy to look after a copy of this key for you. If you wish to take advantage of this please bring a printed copy to the IT Service Desk and we will securely store it.