Not long ago, I made the case that for most users file-level encryption is adequately secure and much higher-performing than full-disk encryption. I received a lot less pushback than anticipated for expressing this heterodox view — by which I mean I actually got none. Quite to the contrary, some readers sent messages and comments expressing curiosity and eagerness to try file-level encryption.
This came as a surprise. I wasn’t sure how many people would want to put file-level encryption into practice, and I imagined those who did would take the less arduous route of installing a distribution like Linux Mint that offers this as a checkbox in a menu.
That’s why I left my argument almost entirely in the realm of theory. I was more interested in challenging an accepted model with an underrepresented alternative. A theoretical approach suited this exercise while simultaneously leaving implementation up to those intrepid enough to put theory into practice. After all, Linux is about doing what you want, and I was not about to tell anyone what that might be.
But now that I have observed interest in setting up file-level encryption, I wanted to contribute this piece as a demonstration of one means of doing so which is widely available for Linux desktop users. I configured my file-level encryption setup via my distro’s GUI installer, but not everyone has this option. So, to offer a similar encryption scheme to as many users as possible, I will walk you through how to use fscrypt to create an encrypted filesystem.
Be warned that this involves tinkering on the command line and doing a partially or fully manual operating system installation. If that doesn’t appeal to you, you’ll probably want to pass on this. Fortunately, there are graphical solutions that you can apply after system installation.
Unlocking the Power Within
So what is fscrypt?
Fscrypt is a tool that presents a simple command line interface for configuring the encryption built into the extension 4 (more commonly “ext4”) filesystem. It is not an encryption algorithm in its own right, but an intermediary between the user and ext4’s native encryption. The intent behind fscrypt is to decipher the otherwise arcane incantations of ext4 encryption into something comprehensible to intermediate Linux.
While simple, fscrypt offers multiple configuration modes. First, it can encrypt any directory, protecting all the files and subdirectories within. This protection obscures both the filenames and data of all its contents when it’s locked
Second, and most appealing for those seeking unobtrusive security, is that users can set the decryption to occur automatically upon entering their user password. Instead of getting a second, separate decryption prompt along with the login prompt, the act of logging in itself performs the decryption.
Start Your Terminals!
The basic game plan here is fairly straightforward. First, you enable encryption on the desired ext4 filesystems. Second, you install fscrypt. Third, you edit the PAM configuration files to link the decryption process to your user account’s password.
A brief note on PAM: it’s what enforces the Unix account access principles on your Linux system. Its duties include separating user from root accounts and giving each account its permissions. Lastly, you enable fscrypt on the filesystem.
Before proceeding, I should note some caveats.
To start with, the steps below were executed on Arch Linux, for two reasons. One, the documentation I consulted for fscrypt came from the Arch Wiki, so they will naturally run the smoothest on Arch Linux. Information found on the Arch Wiki is often perfectly applicable to other distros, but it isn’t always a perfect fit. Two, Arch Linux’s installation is piecemeal from the ground up. Since the user executes every step manually, they can easily stop and insert additional commands between steps, as fscrypt setup requires.
Not all GUI Linux installers let you pause the process to customize your new OS, but only hand back control when it’s completely finished. For instance, fscrypt only works on an empty user directory, and most distributions’ GUI installers automatically populate these (e.g. with directories like “Documents”) during installation.
Additionally, as the foregoing implies, I am performing the encryption during installation. This guide, then, will not be totally applicable when enabling fscrypt post-installation. There are ways of doing this, but they are more cumbersome. So, if you’re reading along with this guide, I encourage you to follow suit and configure fscrypt during installation.
Regardless of which distro I would have picked to demo fscrypt, it would invariably proceed differently than something someone else is using. Considering that Arch Linux’s installation will look more or less similar to that of each user’s preferred distribution, you will have to translate between the two.
If you are using a DIY distro like Arch Linux or Debian, you’ll be able to run everything at the right link in the chain. I know Ubuntu’s and Linux Mint’s graphical installers allow you to execute some manual steps at select points, but I can’t speak for most distributions. Just be sure to know your distro and what it allows mid-installation.
Finally, this walkthrough will only show you how to encrypt the home directory for one unprivileged user account. I chose this because it is consistent with what I advocated in my file-level encryption pitch. It shouldn’t take much to adapt the process to encrypting another directory, but just be aware of the objective here.
One note about my notation: Any blue italic portion of a command indicates that the selected text is not literal, and that you should instead supply the appropriate text for your situation.
With that out of the way, let’s get to it.
Once you have your drive partitioned and your ext4 filesystems created, you will need to enable ext4’s native encryption. Before doing so, though, double-check that your filesystem’s block size is set correctly with the following commands.
If the outputs match each other, everything is fine. Next, simply execute the command below to actually activate the encryption.
From this point, finish installing the base system as normal to create a bootable system, but with no window manager or desktop environment, and only a root account (i.e. no unprivileged user accounts).
When that’s finished, boot into your system and install fscrypt. This should be the easiest step, as it’s just installing it from your package manager. You should be able to find it in your distribution’s default repository, but if not, you can build it from source. Mercifully, I have not had to do so.
Now we start setting fscrypt up. Run the command below to get started.
This creates the /etc/fscrypt.conf configuration file and the /.fscrypt directory.
If your filesystem is not mounted at root, like if you have /home on its own partition, you also need to run this.
This creates a .fscrypt directory at that mount point.
Next, you will need to configure PAM to handle the fscrypt module, so your login password will automatically decrypt your encrypted filesystem. PAM files are finicky, so be very careful to follow these steps exactly. You need to add the right lines to the right files, and in the right order.
In the /etc/pam.d/system-login file, add the following to the end of the “auth” section.
In the same file, at the end of the “session” section, add this line.
Then, in the /etc/pam.d/passwd file, add the following to the end of the file.
With all the real prep work out of the way, you can finally create your target user account and encrypt its home directory (ie. the directory in the /home directory named after, and belonging to, your user account).
Navigate to the /home directory and create an empty directory for the target user.
This needs to match the name you are going to give your user account. Speaking of which, use the command below to create that user whose directory you just made.
Your user account isn’t ready yet, though. You’ll need to set this user’s password, since it’s blank by default and fscrypt will prompt you for it to finalize the link between the login password and decryption password.
You’ll also need to give your new user account ownership of its directory, since it currently belongs to the root account that created it.
While you’re here, you might as well check that no files or directories were placed in the new user’s directory — fscrypt’s way needs to be clear.
You can now actually encrypt your user’s directory, which you do with this command.
This will initiate a configuration dialog. At the prompt about protector type, select the option for using the login password. When the prompts conclude, check the status of your encrypted directory, to ensure that PAM is properly hooked up, by running the command below.
If the “Unlocked” status reads “Yes” then you’re all clear. If not, something went wrong.
With all of that out of the way, you should be able to log out of the root account and into your new user with no problems. On your next boot, you won’t get a decryption prompt before your account login, because the encryption is not applied at the partition level but at the file level. Your user login will look and feel no different than if your files were not encrypted. But they are.
Congratulations! You are now enjoying a high-performing computing experience with seamless modern encryption protection.