Quick and Dirty Homedir encryption in Edgy Eft

Quick and dirty setup instructions for encrypting an existing user's home directory in Edgy Eft. Note that some steps are from memory and thus might be slightly off. Please be warned that this process may corrupt your home directory, advertise your password to the internet via a massive spamming campaign, and cause other boys in the locker room to snicker at you. Use at your own risk, you've been warned.

First, get the right tools:

apt-get install fuse-utils encfs libpam-encfs

Then create your encrypted directory. As root, from a clean boot, without logging in as the user account in question:

sudo mkdir -p /home/.enc/USER /home/.enc/tmp
sudo chown USER:USER /home/.enc/USER
sudo chmod 777 /home/.enc/tmp
encfs /home/.enc/USER /home/.enc/tmp
(use your normal USER password with the default mode)
cd /home/USER
find . -xdev | cpio -pamd /home/.enc/tmp
(that step may take a while if you have a large home directory)
fusermount -u /home/.enc/tmp
sudo mv /home/USER /home/USER.bak
(remove the .bak dir using the shred tool after you're completely sure the process worked)
sudo mkdir /home/USER
sudo chown USER:USER /home/USER
sudo rmdir /home/.enc/tmp


Now create or edit the following files as needed:

/etc/security/pam_encfs.conf
drop_permissions
encfs_default
fuse_default allow_other,nonempty
- /home/.enc - - -

/etc/pam.d/common-auth
auth sufficient pam_encfs.so
auth required pam_unix.so nullok_secure use_first_pass

/etc/pam.d/common-session
session required pam_encfs.so
session required pam_unix.so
session optional pam_foreground.so

/etc/fuse.conf
user_allow_other

Viola. One thing to note -- before you do anything drastic like rebooting, switch to a different virtual-terminal and try to login as root again to make sure you didn't hose your PAM installation unless you really like having to pull your drive (does single user mode even work?) to recover.

Then switch over to your favorite VT7, and see if you can login to GDM.