Hardware Reference
In-Depth Information
Once the migration script has finished, we're going to follow the advice it
gave us very closely.
6.
Log out now and log back in as the
pi
user. You'll notice that the time it
takes to log in has increased dramatically because of the automatic
ecryptfs
mounting that's going on in the background.
7.
Once you're logged in, type
ls
to verify that your home directory looks
roughly intact. Then type
mount
to verify that an
ecryptfs
file system is
really mounted over
/home/pi
, like in the following screenshot:
Encrypted file system mounted on top of home directory
8. If everything seems fine, you should now delete the unencrypted backup
copy of your home directory that the migration script made previously.
The name of this directory was randomly generated and is called
/home/
pi.[XXXXXXXX]
. Type
ls /home
to find the name of yours, then issue the
following command:
pi@raspberrypi ~ $ sudo rm -rf /home/pi.[XXXXXXXX]
9.
(Optional) Type the following command to reveal your recovery
mount password:
pi@raspberrypi ~ $ ecryptfs-unwrap-passphrase
This randomly generated passphrase can be used to recover your data
from another computer.
10. Finally, we're going to encrypt the swap file on our system. A swap file/
partition is a reserved area on the SD card that can be used by the kernel
to move data in and out of memory. On Raspbian, this 100Mb file is called
/var/swap
and is very rarely used. But just to make absolutely sure our
encrypted home directory data doesn't leak into the swap file, we can run the
following command:
pi@raspberrypi ~ $ sudo ecryptfs-setup-swap
Rigging the self-destruct mechanism
Even though your home directory is much more secure now that it's encrypted, there
are still situations where one might want to abort mission and pull the plug on the
important data. For instance, let's say you're continuously recording inside a
tmux
session, your data remains mounted and unencrypted until the
pi
user logs out.