In Chapter 2, Securing User Accounts, I showed you how Ubuntu allows you to encrypt a user's home directory as you create his or her user account. To review, let's see the command for creating Goldie's account:
- If it hasn't already been done, install the ecryptfs-utils package:
sudo apt install ecryptfs-utils
- On an Ubuntu VM, create Goldie's account with an encrypted directory:
sudo adduser --encrypt-home goldie
- Have Goldie log in. Have her unwrap her mount passphrase, write it down, and store it in a secure place. She'll need it if she ever needs to recover a corrupted directory:
ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase
When you use adduser --encrypt-home, home directories for new users will automatically be set to a restrictive permissions value that will keep everyone out except for the owner of the directory. This happens even when you leave the adduser.conf file set with its default settings.