How can I tell if my hard drive is encrypted?

mount encryption

5,071

The directory /home/cii is encrypted.

This is indicated by this mount line in your question:

/home/cii/.Private on /home/cii type ecryptfs (ecryptfs_check_dev_ruid,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,ecryptfs_sig=18df82f57f616955,ecryptfs_fnek_sig=18e7fb71def9e5b5)

In particular, this line shows that there is a mount of type ecryptfs mounted at /home/cii. Ecryptfs is a system of filesystem-level encryption.

The line also shows that the drive is stored on disk as an encrypted container file called /home/cii/.Private. This is encrypted data that cannot be read or written to unless you decrypt it. You won't see it, unless your home directory has not been mounted yet, in which case it will appear and just look like jibberish.

When you enter your password, the encrypted data is being mounted at /home/cii. That is, while this mount exists, your /home/cii is being replaced with a mounted version of your encrypted container. Your home directory is encrypted as you write to it. When you log out, this will be unmounted and other people will be unable to read its contents even with root access: they will only see a file called .Private which is indistinguishable from random data.

5,071

user299761

Updated on September 18, 2022

Comments

user299761 over 1 year
I've recently installed Ubuntu (Trusty LTS) on my home computers, and believe I decrypted my /home directory, as described in the copying /home section of the tutorial at: https://help.ubuntu.com/community/Partitioning/Home/Moving

To quote that portion of the tutorial: "sudo rsync -aXS --exclude='/*/.gvfs' /home/. /media/home/.

The --exclude='/*/.gvfs' prevents rsync from complaining about not being able to copy .gvfs, but I believe it is optional. Even if rsync complains, it will copy everything else anyway. (See here for discussion on this)

If you have an encrypted home file system, then the above will just leave you with an unencrypted copy of your files, which is probably not what you want. You could re-encrypt them after copying, or copy them in their encrypted form."

Output of the mount command is as follows:
```
~$ mount
/dev/sdb3 on / type ext4 (rw,errors=remount-ro)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
none on /sys/fs/cgroup type tmpfs (rw)
none on /sys/fs/fuse/connections type fusectl (rw)
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/security type securityfs (rw)
udev on /dev type devtmpfs (rw,mode=0755)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
none on /run/shm type tmpfs (rw,nosuid,nodev)
none on /run/user type tmpfs (rw,noexec,nosuid,nodev,size=104857600,mode=0755)
none on /sys/fs/pstore type pstore (rw)
/dev/sda3 on /home type ext4 (rw)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,noexec,nosuid,nodev)
systemd on /sys/fs/cgroup/systemd type cgroup (rw,noexec,nosuid,nodev,none,name=systemd)
/home/cii/.Private on /home/cii type ecryptfs (ecryptfs_check_dev_ruid,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,ecryptfs_sig=18df82f57f616955,ecryptfs_fnek_sig=18e7fb71def9e5b5)
gvfsd-fuse on /run/user/1000/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,user=cii)
```
So is my /home directory encrypted, or not really? If not, what must I do to re-encrypt it (not mentioned in the tutorial)? What will happen if I re-encrypt a drive that is already, in fact, encrypted?

Thanks.

Thanks for the very quick response --but wait: did you just mean to imply that my /home folder is Not Moved yet? I finished the changes for moving the directory, I thought; and was now concerned with whether the results were encrypted or not. If the move didn't take...