47.2 Using Encrypted Home Directories

To protect data in home directories against theft and hard disk removal, use the YaST user management module to enable encryption of home directories. You can create encrypted home directories for new or existing users. To encrypt or decrypt home directories of already existing users, you need to know their login password. See for instructions.

Encrypted home partitions are created within a file container as described in Section 47.1.3, Creating an Encrypted File as a Container. Two files are created under /home for each encrypted home directory:


The image holding the directory


The image key, protected with the user's login password.

On login the home directory automatically gets decrypted. Internally, it is provided by means of the pam module pam_mount. If you need to add an additional login method that provides encrypted home directories, you have to add this module to the respective configuration file in /etc/pam.d/. For more information see also Section 27.0, Authentication with PAM and the man page of pam_mount.

WARNING: Security Restrictions

Encrypting a user's home directory does not provide strong security from other users. If strong security is required, the system should not be shared physically.

To enhance security, also encrypt the swap partition and the /tmp and /var/tmp directories, because these may contain temporary images of critical data. You can encrypt swap, /tmp, and /var/tmp with the YaST partitioner as described in Section 47.1.1, Creating an Encrypted Partition during Installation or Section 47.1.3, Creating an Encrypted File as a Container.