Linux Security

Encrypt home directory (eCryptfs/fscrypt)

Practical Linux guide: encrypt home directory (eCryptfs/fscrypt) without the usual guesswork.

10 min read Beginner Updated 9 Jun 2026
Linux library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

Warning

Back up important data before repartitioning, encrypting disks, or restoring backups. Wrong commands can destroy partitions or overwrite live files.

What you will achieve

Encrypt user home directories with eCryptfs (legacy Ubuntu option) or ext4/f2fs fscrypt — protecting data if a laptop is stolen without full-disk LUKS.

1) fscrypt on ext4 (modern approach)

sudo apt install fscrypt
sudo fscrypt setup
sudo fscrypt encrypt /home/username --user=username

Requires kernel fscrypt support and a login passphrase to unlock — integrates with systemd-homed on some distros.

2) eCryptfs (older Ubuntu)

sudo apt install ecryptfs-utils
sudo ecryptfs-migrate-home -u username

Log out the user during migration. Backup first — migration touches every file in /home.

3) Trade-offs vs LUKS

  • Home-only encryption leaves swap and /tmp unencrypted unless configured separately.
  • Full-disk LUKS protects everything at rest but unlocks all data with one passphrase at boot.

Verify

fscrypt status /home/username
mount | grep ecryptfs

5) PAM integration for eCryptfs

Ubuntu's /etc/pam.d/common-auth hooks ecryptfs unwrap on login. Breaking PAM config locks users out of encrypted homes — test with secondary account first.

6) Swap and hibernate leak

Encrypt swap or disable hibernate when using home-only encryption — swap can contain decrypted file contents from memory.

sudo swapoff -a

7) Backup encrypted homes

Backup must capture wrapped passphrase files in /home/.ecryptfs/ or fscrypt policies — raw rsync of ciphertext without metadata is useless.

When to choose full-disk LUKS instead

Laptops with single user and sensitive everything (email, keys, documents) benefit from LUKS at install. Home encryption suits shared servers where only some users need privacy.

8) Performance impact

eCryptfs adds per-file overhead; fscrypt is generally faster on ext4. Benchmark dd and real app workloads before encrypting busy developer homes.

Prerequisites

Logged-out user for migration, full /home backup, enough free space for ecryptfs copy (~2x home size during migrate). Kernel fscrypt support for fscrypt path. PAM knowledge for eCryptfs.

Login unlock order

Encrypted home mounts after user auth — services running as user before login may fail; use system-wide paths for daemons instead of ~/config.

Logout required for eCryptfs

Cannot encrypt active session home — schedule maintenance, notify user, verify no cron jobs running as that user during migration.

Multi-user server caution

Home encryption on shared shell server complicates cron jobs and at jobs for users — use system accounts with homes outside encrypted tree for automation. Backup keys escrow for corporate laptops per policy.

Related guides

directory encrypt home linux

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Security
sudo vs root: best practice
Practical Linux guide: sudo vs root: best practice without the usual guesswork.
Read guide
Security
Audit installed packages for security
Practical Linux guide: audit installed packages for security without the usual guesswork.
Read guide