Encrypting your home directory in Fedora 38

Even though most Linux distributions have adopted LUKS and full-disk encryption, I still like (and need) to encrypt home directories separately, for a number of reasons:

  • LUKS still doesn’t allow you to pick which users can decrypt the drive (like macOS can–at least I am not aware of a working way to do it, and I wish I could do it on because it makes it a hassle to share the laptop with family).
  • It’s an all-or-nothing proposition (if you know the LUKS password and can sudo, you can read everything on the disk).
  • I often work inside LXC containers (which live inside a subtree of the host filesystem) or cloud VMs (where managing disk encryption is a hassle for the sake of protecting a single user workspace).
  • With appropriate care, I can transplant and backup encrypted home dirs without messing with the rest of the filesystem or partitioning.

Long story short, I needed to do it on another 38 install, tried to do it as I once did and stumbled across the transition from authconfig (to enable PAM access and automatic ecryptfs mounting) to authselect, as well as a lack of updated guides.

After some research, I boiled down the required steps to:

# these commands should be entered in a root shell, with your username ("me" in this case) logged off.
# authconfig --enableecryptfs --enablepamaccess --updateall is replaced by
authselect select minimal with-ecryptfs with-pamaccess
usermod -aG ecryptfs me
# this script will execute a fairly lengthy rsync into the mounted ecryptfs, 
# and requires (and checks for) a largeish amount of free space. 
# Also, be prepared for it to fail if you have weird files in your home directory (pipes, etc.)
ecryptfs-migrate-home -u me
# Now become your target user
su - me 
# Write this down, you will neeed it if you want to mount home manually
# (as you might want to do in a shared cloud workspace)
ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
# This inserts the password into the system keyring (which PAM can unlock)
ecryptfs-insert-wrapped-passphrase-into-keyring ~/.ecryptfs/wrapped-passphrase
# If for some reason you need to change the passphrase, start here:
# ecryptfs-rewrap-passphrase /home/.ecryptfs/$USER/.ecryptfs/wrapped-passphrase

Now if you login via ssh, PAM will automatically unlock and mount ecryptfs for you (as it will if you physically log in to the console).

Logging In Via Remote Desktop

An important caveat is that (at least with the default configuration) xorgxrdp will not automount your encrypted home.

To do that, you need to change the PAM configuration for xrdp-sesman, and the simplest way I’ve found to do it is to copy the sshd configuration:

sudo mv /etc/pam.d/xrdp-sesman /etc/pam.d/xrdp-sesman.orig
sudo cp /etc/pam.d/sshd /etc/pam.d/xrdp-sesman

Another option (which may be valid for your use case, especially if you want to supply the ecryptfs passphrase manually) is to ssh in first to do that and issue the ecryptfs-mount-private command (and, of course, ecryptfs-umount-private when you’re done working).