How to Encrypt Raspberry Pi home folder
With the advent of the dazzling Pixel desktop on the Pi, with its glitzy icons and crisp windows, some readers may be considering using a Pi as their home computer.
This, however, is not especially secure given that the Pi automatically logs in the default user without requiring a password. Even if the password is required, anyone can mount the SD card to view your documents, pictures, videos and other data.
Note:- This tutorial is compatible with all W models of Pi running Raspbian Jessie
Encrypt Raspberry Pi home folder
1.Back up your data
If you have not done so already, log onto your Pi and transfer the contents of your Desktop, Documents, Pictures etc onto an external medium like a USB stick. This will make transferring your data to your encrypted home folder much easier.Use Ctrl+H to show hidden folders if you want to back up your application settings such as your browser bookmarks.
2.Enable login screen
If you have not already done so, open Terminal on your Pi or connect via SSH and run the command:
sudo nano /etc/lightdm/lightdm.conf
to open your login options. Scroll down to the line autologin-user=pi and put a hash (#) at the start to comment it out. Press Ctrl+X, then Y, and then Return to save and exit. Remember the default password is ‘raspberry’.
3.Reboot Pi and log in
Reboot the Raspberry Pi and log in via the login screen. The username pi should already be selected and the password should be ‘raspberry’. Moving forward we recommend that you work on the Pi’s desktop directly as you will need to switch between users, which is difficult over SSH. If you do not have a monitor for your Pi, try connecting via VNC as the ‘pi’ user.
4.Install eCryptfs and related files
Open Terminal on the Pi and run the command:
sudo apt-get install ecryptfs-utils lsof cryptsetup
You will need to press Y to confirm that you do indeed want to install the software. This will allow you to encrypt the home directory and access it each time you log in.
5.Create new user
If you are serious about wanting to use the Pi, you most probably will want an account in your own name in any case. Use the command:
sudo adduser (username)
e.g sudo adduser bob to create your account. Type your password twice, then press Return to accept default values for the other options such as location.
6.Encrypt new user’s home directory
The eCryptfs software comes with a handy builtin utility to encrypt existing home folders. Simply run the command:
sudo ecryptfs-migrate-home -u bob
where ‘bob’ is your new username. You’ll be asked to enter a login passphrase twice Make sure to read the Important Notes section once this is done. Do not reboot at this stage.
7.Log into new encrypted user account
Use Menu>Shutdown>Logout to log out of the Pi user. In the dropdown menu select your new username e.g ‘bob’ and log in. Before bringing any data into this new account, open Terminal and simply type the command mount. This will show a flurry of information; you should see a reference to ‘ecryptfs’, which shows the encryption has been successful.
8.Back up your passphrase
If you’re unable to log in because of a system problem or you want to move your data to a new computer, by default your files won’t be accessible. Fortunately there’s an eCryptfs utility that can generate your mount passphrase, which can be used to access your files from another device. Open Terminal and run the command to view the passphrase:
Once you’ve unlocked it, write it down. Store the passphrase in a safe place.
9.Migrate your data
Use Menu>Shutdown>Reboot to restart your Pi and then log back in as the new user. At this stage you should connect your external drive and begin copying your documents and data back to the right places. You’ll see that a new home folder has been created in /home, e.g /home/bob. No other users on the Pi will be able to access the files inside your home folder.
10.Give your new user admin privileges
Log out of your new user for now and back into ‘pi’. Open Terminal and run the command:
Scroll down to the line reading root ALL=(ALL:ALL) ALL and on a new line immediately after this add:
bob ALL=(ALL:ALL) ALL
Where ‘bob’ is your new username. Press Ctrl+X, Y, then Return to save and exit. Restart the Pi again to effect your changes.
11.Remove backup home folder
When encrypting your new home directory, the eCryptfs software places a backup in the home folder in case anything goes wrong. As this was a new account, the folder is empty, but to keep things simple, open Terminal and run the command to find out its exact name, e.g bob. zyxxc: ls /home
Then run the following command to remove it: sudo rm -r -f
12.Delete data in Pi home folder
If you had personal data already in the existing ‘pi’ folder, it is still unencrypted and can be accessed by anyone who can obtain your Pi’s MicroSD card. Log onto the ‘pi’ user and use the shred command to securely delete any files you want e.g shred -zu bank-statement.pdf. You can use the following to erase folders but do not do this with any of the main folders in your ‘pi’ home folder, e.g Desktop:
sudo rm -r -f directoryname
13.Disable swap space
There is a portion of the Pi’s SD card (located in /var/swap) that is used in a way similar to RAM when the Pi is low on resources. For more modern Pi models this is very rarely used and can present a security risk as your data may be written there unencrypted. Log in to your new user account, open Terminal and run:
sudo swapoff -a -v
You should see a confirmation that it has been disabled.
14.Fix permissions errors
Depending on the method you used to back up and transfer your data from your previous
account, there may be permissions issues with certain files and folders (Usually you will see a padlock on files you’re unable to edit). You can make sure your new account is the owner of all files within folders with the command:
sudo chmod 0750 -R foldername
For example, where ‘bob’ is your new username:
sudo chmod 0750 -R /home/bob/Pictures
15.Double check your files are safe
This step is optional. Reboot the Pi and log into the ‘pi’ user. Open Terminal and if you have not previously done so, enter the command:
sudo passwd root
to set a password for the root user. Next enter the command su to switch into root. Run:
(where ‘bob’ is your new username) and then use ls to show the contents of the directory.
There’s now only a shortcut and a ‘ReadME’ file saying your data is protected. Once you’ve
done this, your Raspberry Pi should be as secure as Fort Knox!
You may also to read these awesome articles