There are a number of steps for encrypting your home directory in Fedora, and enabling system applications like GDM to decrypt your files on login. I’ll walk through the process of how I got this set up on my own machine.
First, make sure you have ecryptfs and related packages installed:
# yum install keyutils ecryptfs-utils pam_mount
Then you can either go the easy way:
# authconfig --enableecryptfs --updateall
# usermod -aG ecryptfs USER
# ecryptfs-migrate-home -u USER
# su - USER
$ ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase (write this down for safe keeping)
$ ecryptfs-insert-wrapped-passphrase-into-keyring ~/.ecryptfs/wrapped-passphrase
[All done! Now you can log in via GDM or the console (“su – user” will not work without running ecryptfs-mount-private)]
OR the hard way, which I followed. There are some benefits of going this route. It is a much more configurable install which allows you to select the cipher and key strength:
First enable ecryptfs:
# authconfig --enableecryptfs --updateall
Move your home directory out of the way, and make a new one:
# mv /home/user /home/user.old # mkdir -m 700 /home/user # chown user:user /home/user # usermod -d /home/user.old user
Make a nice random-ish passphrase for your encryption:
# < /dev/urandom tr -cd \[:graph:\] | fold -w 64 | head -n 1 > /root/ecryptfs-passphrase
Mount the new /home/user with ecryptfs:
# mount -t ecryptfs /home/user /home/user (choose passphrase, any cipher, any strength, plain text pass through, and encrypt file names) # mount | grep ecryptfs < /root/ecryptfs_mount_options
Add to the /etc/fstab (with the mount options from ecryptfs_mount_options above) like so:
/home/syncomm /home/syncomm ecryptfs rw,user,noauto,exec,relatime,ecryptfs_fnek_sig=113c5eeef8a05729,ecryptfs_sig=113c5e8ef7a05729,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough,ecryptfs_unlink_sigs 0 0
Wrap up the passphrase with the users login:
# ecryptfs-wrap-passphrase /root/.ecryptfs/wrapped-passphrase</div>
Copy over files to the new home dir:
# su - user $ rsync -aP /home/user.old/ /home/user/</div>
Unmount /home/user and set up the initial files for ecryptfs and pam_mount:
# umount /home/user # usermod -d /home/user user # mkdir /home/user/.ecryptfs # cp /root/.ecryptfs/sig-cache.txt /home/user/.ecryptfs # cp /root/.ecryptfs/wrapped-passphrase /home/user/.ecryptfs # touch /home/user/.ecryptfs/auto-mount # touch /home/user/.ecryptfs/auto-umount # chown -R user:user /home/user/.ecryptfs # su - user -c "ecryptfs-insert-wrapped-passphrase-into-keyring /home/user/.ecryptfs/wrapped-passphrase"
Now it gets interesting! Edit /etc/pam.d/postlogin and add the highlighted lines:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth optional pam_ecryptfs.so unwrap auth optional pam_permit.so auth optional pam_mount.so password optional pam_ecryptfs.so unwrap session optional pam_ecryptfs.so unwrap session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet session [default=1] pam_lastlog.so nowtmp silent session optional pam_lastlog.so silent noupdate showfailed session optional pam_mount.so
Edit /etc/security/pam_mount.conf.xml and replace the whole file with:
<?xml version=”1.0″ encoding=”utf-8″ ?> <!DOCTYPE pam_mount SYSTEM “pam_mount.conf.xml.dtd”> <pam_mount> <debug enable=”0″ /> <luserconf name=”.pam_mount.conf.xml” /> <mntoptions allow=”*” /> <mntoptions require=”” /> <path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path> <logout wait=”0″ hup=”0″ term=”0″ kill=”0″ /> <lclmount>/bin/mount -i %(VOLUME) “%(before=\”-o\” OPTIONS)”</lclmount> </pam_mount>
Finally,
# su - user -c "vi /home/user/.pam_mount.conf.xml"
And add this:
<pam_mount> <volume noroot=”1″ fstype=”ecryptfs” path=”/home/user” /> </pam_mount>
Now you can login and see your decrypted files! (“su – user” will not work without running ecryptfs-mount-private.)
You should setup swap encryption for both of these methods with:
# ecryptfs-setup-swap
If you want to go that extra mile, you can symbolically link your /home/user/.ecryptfs/wrapped-passphrase to a flash drive and mount it at boot, or use autofs or some scripting to mount it on login (and just in time for PAM to access it.) However, if you are going to go that far you should look into more CIA level disk encryption, like TrueCrypt.
Cloud Ninja 
thats all fine and dandy but encrypted swap will leave you in a non-bootable state when you go and change your /etc/fstab.Try it with fc21+. NICE NASTY dracut boot bug. The UUID no longer matches what grub gives dracut. ALSO: It keeps asking for a password instead of using /dev/urandom for one when it does decide to work.