I use Fedora and Debian. Slowly moving to debian.

A friend wanted to borrow a spare laptop and I wanted him to be happy about the security of the data in his new homw directory.

Since I can become root, I could spy on his work. He is a playwrite and obviously doesn't want any spoilers being spilled.

Turns out that this is relatively trivial, especially for a new user where the $HOME is essentially empty.

The steps are the same on Fedora and Debian except for swapping dnf/apt commands.

First become root, then:

useradd <username>

apt|dnf install -y ecryptfs-utils cryptsetup

passwd <username> # This the login and the encrption password

ecryptfs-migrate-home -u <username>

usermod -a -G ecryptfs <username> # Add the new user to the ecryptfs group. I didn't have to do this on Debian

ecryptfs-unwrap-passphrase /home/<username>/.ecryptfs/wrapped-passphrase # Use the new user's new password when prompted and save the output.

rm -rf /home/<username>.XXXXXXX # Delete the backup file created by ecryptfs. It's empty since you just created the new user.

Tell the new user to change their password on first login.

Clearly since I now have the recovery code I could still spy on his work, ho hum.

In his honour I wrote a short screenplay about it. :)

Last changed: 18. February, 2024 at 10:50