Encrypt your home directory in Kali Linux

Full disk encryption requires you to enter a password on boot, and isn’t the smoothest experience. It is the best approach from a security point of view, but I’m a believer in practical compromises. With linux, for me that means transparent home folder encryption.

First of all, make a copy of your home directory, so that this doesn’t become a fancy way of wiping your computer. Make sure you are not logged in as the user whose directory is being encrypted, otherwise you will get a failure saying that ecryptfs cannot proceed.

Once this is done, you should generate a key for recovery, by running  ecryptfs-unwrap-passphrase as the encrypted user.

For complete protection, if you can live without hibernate/resume capabilities, you can encrypt your swap space (you’ll still keep suspend/resume) by running  ecryptfs-setup-swap.

Note: While you can set this up for the root user, do not do this, and make sure you only update software from the account that has had it’s files encrypted. Otherwise, when updates need to make changes to your .config directory, they won’t be able to, and you may be left with an unusable account. I learnt this the hard way. For safety, I also recommend adding the following to your root’s .bashrc:

From this point, you should really only use apt when your encrypted user is logged in.

Leave a Reply