Is encrypting home sufficient?

Data from any running program might end up in swap, so your swap space needs to be encrypted as well. Unless you want to hibernate your system, the swap space can be encrypted with a random key that is generated at each boot. This is the case by default if you select full-disk encryption during installation but not if you merely later encrypt your home directory. If your swap space isn't encrypted already, set it up with `ecryptfs-setup-swap. If you want to have both swap space and hibernation, see Enable Hibernate With Encrypted Swap in the Ubuntu community documentation.

Many programs put temporary files in /tmp. The best way to handle this is to put /tmp on the memory-backed filesystem tmpfs instead of leaving it on a disk-backed filesystem. There's also a slight performance advantage. See this writeup for how to do this.

Beyond this, private data can end up in various places that aren't your private storage area. You have to decide based on what you consider to be confidential whether it's worth it encrypting these areas. Here are some notable places:

  • If receive mail locally (as opposed to fetching it from a POP or IMAP server), it arrives in /var/mail. If you send mail using the traditional unix method (sendmail), it transits via /var/spool/postfix (or whatever your MTA is). If you don't understand this paragraph, it doesn't apply to you.
  • If you set up recurring tasks, they are stored in /var/spool/cron.
  • When you print something, it transits in /var/spool/cups.
  • The system logs under /var/log might contain data you'd rather keep private, such as network errors from sites you've tried to connect to or from.
  • Your system configuration in /etc might have a few confidential things such as ISP or wifi passwords.

If you encrypt your home directory with ecryptfs, beware that it won't be mounted if you log in remotely with SSH while not logged in locally, so if you do that, your SSH public key file (~/.ssh/authorized_keys) needs to be present in both encrypted and cleartext form.


It depends on what you intend to secure. If everything you want to keep safe resides in /home/, then you're golden. Otherwise, no.

For example, /var/spool/mail/ contains system email sent to your user. /var/spool/cron/ contains your crontabs. And if you're worried about a malicious actor with local access ("evil maid" scenario) messing with your security, then it is definitely not sufficient.

Homedir encryption is convenient and simple, and it allows you to protect your personal stuff from your big sister. But it's not whole-disk encryption, which is probably what you want if you're asking this question.

Failed login attempts are rate limited if done through PAM, but brute-force attacks against your encryption would be offline anyway, so your OS doesn't factor in.