• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Encrypting home on a system already in use

nielsk

Member

Thanks: 5
Messages: 20

#1
I set up my FreeBSD-desktop nearly a year ago but with unencrypted disks (please don't ask…).
Now I am in the need to encrypt at least the home directory of my user. What would be the best way to do that without reinstalling my system?
I have two disks in one zpool-mirror taking up the whole disk.
Is the only way to create a file that is a geli-container, mount that into a home-directory, then rsync my current home-directory and then rename the two (old one to something like /home/user.old; new one to /home/user)? Or is there a better way?
How would I mount it at boot time, or better after the user logs in (btw. I am using gdm)?
 

sko

Well-Known Member

Thanks: 158
Messages: 350

#2
I'm using PEFS for encrypted home directories on my laptop. It works at file-level, so it can be retrofitted on any filesystem and on already installed systems and also won't interfere with classical (file level) backup solutions as there is no hidden metadata. This way home directories can be backed up without encrytpting them first.
A PAM module is also available, so it can be easily hooked into PAM decryption at login.
 
Top