Encrypting an existing home directory with gocryptfs

I few weeks ago I got my hands on a Panasonic CF-SZ5 laptop from Japan and I love this little thing. Following this guide from bacardi55 I encrypted my existing home dir using gocryptfs to add a layer of protection while I turn it into my EDC laptop.

This post isn’t a guide, instead some notes on why and how its going.

Why? Plus some how

I’m sure the first question from anyone is why encrypt the home directory this way, rather than using the built-in encryption tools in the OS installer. Well, I don’t have a fresh install. Its actually my desktop install cloned to the laptop.

I love my desktop setup. It is exactly the way I want it. When I thought about how I was going to setup the Panasonic laptop, I kept thinking that I wish I could move my existing desktop to it so that it is an exact clone, just half the size and portable.

Thanks to Linux and open source, that is 100% possible.

Using Clonezilla I cloned my desktop drive and restored it on the Panasonic. Then I booted into a live environment, edited the fstab to remove network file mounts and removed the cron jobs, neither are needed on my laptop. Then booted normally and everything is good to go. One of the amazing features of Linux is the ability to port existing installs to new machines. The Panasonic is Intel CPU and WiFi, so I didn’t need to do anything for it to recognize all the hardware.

The ony adjustment I needed to make was to expand the swap partition to get hibernation working. I don’t need hibernation on my desktop, so swap was small. Luckily the drive in the Panasonic is larger than my desktop, so I booted into a live gparted ISO and resized all my partitions, giving swap enough space.

I’ve been using it for more than a week and have had zero issues, other than having to re-login to a few things.

This being said, my desktop does not have /home encrypted since it sits next to my desk at home and never leaves. This means it /home is also not encrypted on the new machine. I needed to find a different solution.

How it went

As I mentioned, I followed this wonderful guide to encrypt my existing home directory with gocryptfs and then to automatically decrypt when logging into the system. I have no notes on their guide. I was able to easily follow it and have no notes.

This does not mean the /home partition is encrypted. It is only my users home dir, which is fine with me.

Performance has been good. Most of the time I don’t even notice the slight performance hit doing it this way. The only trouble is sometimes the RAM usage can be a little high. This is due to gocryptfs being a fuse file system, which always comes with a RAM hit. At most I see gocryptfs using ~500MB of RAM.

Other than some higher RAM usage, everything just works.

Doing this setup saved me a ton of time configuring a new laptop. Instead of having to re-install everything, download my dotfiles, adjust some configs that aren’t in my dotfile repo, setup my keyboard shortcuts, and troubleshoot why some things aren’t working, I was up and running in about 3 hours.

Now I can focus on playing with the Panasonic laptop, rather than spend a bunch of energy to get it functional.

- - - - -

Did you like this post? Give it an upvote by clicking on the arrows below! Sending me an upvote is like you and I giving each other a high five.

🙏 😎

If you enjoy the random stuff I write here, post to Mastodon, or watch on YouTube, and are feeling generous, I am open to tips of Ko-fi.