I want to have an encrypted home directory in Ubuntu MATE 20.04

When I installed Ubuntu MATE 20.04 onto a new machine recently, I was surprised that the installer didn’t offer to encrypt my home directory. I did a search and found out that the option was removed from Ubuntu installers in 18.04 because it uses ecryptfs and that is “buggy,” “under-maintained,” and “better alternatives exist”—but apparently, not ones good enough to be in the installer, $@%$# (I’m a bit frustrated right now).

So, I want to have an encrypted home directory in Ubuntu MATE 20.04. What do I do? Should I use LUKS? fscrypt? Do I need my home directory to be on its own partition? How can I ensure the home directory is automatically decrypted when I log in? etc. (time was that this was all taken care of for me… (sob))

  1. You can install Ubuntu MATE and choose a manual partitionning. You will have the opportunity to create a separate /home partition and to choose to encrypt it (with LUKS). But LUKS will ask you a password to decrypt it during boot time.

  2. Or you can choose to encrypt the whole system during installation (with LUKS too). You will have to enter a password at boot time too.

The difference is that the #1 needs a manual partitioning and encrypt only your /home, and the #2 can be partitioned automatically via the Ubuntu installer and encrypt the whole system (except /boot)

To add to @Fall66's good comment above :point_up_2:, I'd like to share with you a discussion I had with another fellow user (@Tim) about eCryptFS:

There I explained why full-disk encryption can often be better than plain home directory encryption. In short, some applications "leak" data into unencrypted temporary storage areas, be it swap space or the /tmp directory, so the encryption may be useless for some files if you don't know what you're doing. (In other words, Ubuntu used to ship eCryptFS home directory encryption with flaws out-of-the-box.)

Furthermore, since I made that comment I have successfully conducted plain-text attacks against the entire encrypted home directory using nothing more than a 16 KB ODF document stored in the /tmp folder. In other words, I totally circumvented the very encryption that we all thought protected us. So yes, eCryptFS available via the installer was very nice to have, but it really was a false sense of security anyway, at least to a certain extent.

Just thought I'd let you know about that.

(edit: this is in response to @Fall66’s comment)
Huh, so, the option to encrypt via LUKS is in the installer? I don’t think I ever saw it, even when I chose manual partitioning. Did I miss something?

Hi @TinaRussell,

encryption option for 20.04 is hidden in 'advanced features'.

1 Like