How could I encrypt Linux Mint

[whois1230]

Hi, I'm running the newest version of Mint and I want to encrypt my whole system. Is there a way to do this without reinstalling the OS?

[Mute Ant]

Certainly you can convert an unencrypted file system into something linux-encrypted, but then you have to reprogram Linux to tell it how to unlock the encryption before it tries to mount it. It's not impossibly difficult, but you end up with a non-standard Mint that nobody else can service.

If your intention is to prevent a thief from looking at your private data, you can...
o Re-install Mint using Encrypt-My-OS.
o Make a new user with an encrypted home.
o Add an encrypted Private folder in your existing user's home.

That last one is quite friendly..
o You get to choose your own Mount Passphrase
o You don't have to put everything in there, just your personal data.
o If it gets damaged you can still log in.
Just...
ecryptfs-setup-private
...it makes a miniature encrypted file-system that's mounted over the Private folder when you log in...
df -h ~/Private

• /home/mute/.Private 54G 8.2G 43G 16% /home/mute/Private

[whois1230]

Certainly you can convert an unencrypted file system into something linux-encrypted, but then you have to reprogram Linux to tell it how to unlock the encryption before it tries to mount it. It's not impossibly difficult, but you end up with a non-standard Mint that nobody else can service.

If your intention is to prevent a thief from looking at your private data, you can...
o Re-install Mint using Encrypt-My-OS.
o Make a new user with an encrypted home.
o Add an encrypted Private folder in your existing user's home.

That last one is quite friendly..
o You get to choose your own Mount Passphrase
o You don't have to put everything in there, just your personal data.
o If it gets damaged you can still log in.
Just...
ecryptfs-setup-private
...it makes a miniature encrypted file-system that's mounted over the Private folder when you log in...
df -h ~/Private

• /home/mute/.Private 54G 8.2G 43G 16% /home/mute/Private

Hi, how about https://www.veracrypt.fr/en/Downloads.html

[whois1230]

Is there a way to encrypt directories? For example Documents, Downloads etc. I tried gpg-zip -c -o file.gpg /home/user/Videos in the terminal, it asked for my password twice and I gave it. However, when I open the folder Videos(/home/user/Videos), I don't get prompted to enter a password.

[whois1230]

If your intention is to prevent a thief from looking at your private data, you can...
o Make a new user with an encrypted home.

How could I make a new user with an encrypted home?

[Mute Ant]

"...how could I make a new user with an encrypted home..." For Mint 19 Mate that's under...
Control Centre: Users and Groups: Add: Encrypt home folder

An encrypted-home user has a couple of extra requirements...
o You can't set that user to log in automatically. Entering the password is part of unlocking the home folder.
o You can't use root or sudo to change that user's account password. The passwd command or the Control Centre when logged in work okay.
...and a couple of suggestions...
o Keep a plain-text copy of the encrypted data on something removable.
o Avoid using suspend or hibernate, switch it right off.

[Mattyboy]

How could I make a new user with an encrypted home?

From within the admin account

Code: Select all

sudo adduser --encrypt-home userName

Follow the instructions. You may have to install ecryptfs-utils but the terminal will tell you how.

If you require the account to have sudo privileges

Code: Select all

visudo -f /etc/sudoers

and add at the bottom

Code: Select all

userName ALL=(ALL:ALL) ALL

You'll still need to use the 'admin' password for certain tasks when logged in to this account.

[Mute Ant]

"...if you require the account to have sudo privileges..."
sudo adduser mute sudo ### Add user 'mute' to the sudo group.

[Mattyboy]

"...if you require the account to have sudo privileges..."
sudo adduser mute sudo ### Add user 'mute' to the sudo group.

That's nice and painless

[whois1230]

How could I make a new user with an encrypted home?

From within the admin account

Code: Select all

sudo adduser --encrypt-home userName

Follow the instructions. You may have to install ecryptfs-utils but the terminal will tell you how.

If you require the account to have sudo privileges

Code: Select all

visudo -f /etc/sudoers

and add at the bottom

Code: Select all

userName ALL=(ALL:ALL) ALL

You'll still need to use the 'admin' password for certain tasks when logged in to this account.

I managed to create a new user with an encrypted home folder. Is there any way to encrypt the home folder of my original user and is it safe? Could I lose my data?

[majpooper]

Hi, how about https://www.veracrypt.fr/en/Downloads.html

This is about as easy as it gets - just put all your sensitive data in an encrypted container in your home dir and only open it when you need it.

[Mute Ant]

"...could I lose my data..." Yes, at any time, for no reason at all. You should not need to worry about this... because ...all your data is duplicated on removable storage.

"...is there any way to encrypt the home folder of my original user..." Yes. You need lots of free space in your /home folder and be able to log in as root. The command...
man ecryptfs-migrate-home
...will show you how.

[whois1230]

"...could I lose my data..." Yes, at any time, for no reason at all. You should not need to worry about this... because ...all your data is duplicated on removable storage.

"...is there any way to encrypt the home folder of my original user..." Yes. You need lots of free space in your /home folder and be able to log in as root. The command...
man ecryptfs-migrate-home
...will show you how.

How about an USB device? I tried this tutorial https://linux.tips/tutorials/how-to-enc ... ng-system , however I can't get it to work. This is the output I'm getting:

Code: Select all

user@user ~ $ sudo fdisk -l
[sudo] password for user: 
Disk /dev/sda: 149.1 GiB, 160041885696 bytes, 312581808 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xe0d53d22

Device     Boot     Start       End   Sectors   Size Id Type
/dev/sda1  *         2048 304474111 304472064 145.2G 83 Linux
/dev/sda2       304476158 312580095   8103938   3.9G  5 Extended
/dev/sda5       304476160 312580095   8103936   3.9G 82 Linux swap / Solaris




Disk /dev/sdb: 15 GiB, 16034824192 bytes, 31318016 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x06b9b960

Device     Boot Start      End  Sectors Size Id Type
/dev/sdb1        8064 31318015 31309952  15G  c W95 FAT32 (LBA)
user@user ~ $ sudo apt-get install cryptsetup
Reading package lists... Done
Building dependency tree       
Reading state information... Done
cryptsetup is already the newest version (2:1.6.6-5ubuntu2.1).
0 to upgrade, 0 to newly install, 0 to remove and 0 not to upgrade.
user@user ~ $ sudo cryptsetup luksFormat /dev/sdb

WARNING!
========
This will overwrite data on /dev/sdb irrevocably.

Are you sure? (Type uppercase yes): Yes
user@user ~ $ sudo cryptsetup luksOpen /dev/sdb USBDrive
Device /dev/sdb is not a valid LUKS device.
user@user ~ $ sudo cryptsetup luksOpen /dev/sdb
Command requires device and mapped name as arguments.
user@user ~ $ sudo cryptsetup luksOpen /dev/sdb PHILIPS UFD
Device /dev/sdb is not a valid LUKS device.
user@user ~ $ ls -arlt /dev/mapper | tail
total 0
drwxr-xr-x  2 root root      60 Jul 15 11:42 .
crw-------  1 root root 10, 236 Jul 15 11:42 control
drwxr-xr-x 21 root root    4380 Jul 15 12:00 ..
user@user ~ $ sudo mkfs -t ext4 /dev/mapper/USBDrive
mke2fs 1.42.13 (17-May-2015)
The file /dev/mapper/USBDrive does not exist and no size was specified.
user@user ~ $ sudo cryptsetup luksFormat /dev/sdb

WARNING!
========
This will overwrite data on /dev/sdb irrevocably.

Are you sure? (Type uppercase yes): yes
user@user ~ $ sudo cryptsetup luksOpen /dev/sdb USBDrive
Device /dev/sdb is not a valid LUKS device.
user@user ~ $ sudo cryptsetup luksFormat /dev/sdb

WARNING!
========
This will overwrite data on /dev/sdb irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 
Cannot format device /dev/sdb which is still in use.
user@user ~ $ sudo cryptsetup luksFormat /dev/sdb

WARNING!
========
This will overwrite data on /dev/sdb irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 
Cannot format device /dev/sdb which is still in use.
user@user ~ $ sudo cryptsetup luksOpen /dev/sdb USBDrive
Device /dev/sdb is not a valid LUKS device.
user@user ~ $ sudo cryptsetup luksOpen /dev/sdb PHILIPS UFD
Device /dev/sdb is not a valid LUKS device.
user@user ~ $ sudo cryptsetup luksOpen /dev/sdb PHILIPSUFD
Device /dev/sdb is not a valid LUKS device.
user@user ~ $ 

Edit: I found an application called Disks. I'm running 18.3 Cinnamon 64-bit by the way. With this app I successfully encrypted 2 USB drives. There's also an option to encrypt my Hard Disk without overwriting my data, and I wonder wheter encrypting my Hard Disk is the same as encrypting my OS during a new OS installation?

[Mute Ant]

Certainly you can convert an unencrypted file system into something linux-encrypted, but..."