What is a good encryption solution for a shared computer?

I’m wondering what is an appropriate solution to protect my files on a shared computer.
I have installed Manjaro on a computer that is shared by a few students, including me, and I have created a user for myself, protected by password. I have a folder with my work files that syncs through syncthing with my phone and home computer.
The problem is that the HDD is not encrypted, so if someone boots into a live USB, or logs into root somehow, they can access the files in my user’s home folder.
I’m aware I can create a zip that is password protected, but it would be very inconvenient to have to zip/unzip my files all the time.
Is there a way I can better protect my home folder on this PC, in a way that when I login into my user, syncthing is immediately able to sync my files?

I appreciate any help,

To protect your personal files from being accessible by anyone who boots your machine from a USB
you have to encrypt at least your $HOME
so that, even if the whole system is accessible
the content of your $HOME is not

eCryptfs - ArchWiki

might be the (or a) solution.

is going to work, I guess
as it is, I think, syncing stuff when you are logged in
(when the $HOME is accessible and decrypted)

EncFS - ArchWiki

is another way to selectively encrypt directories inside your $HOME
they will be synced as they are - encrypted
slightly more inconvenient to use, though
as you have to actively open them when you want access

… or what @megavolt just said

but if the unencrypted hdd is taken to another system and accessed from there
this will be no good :wink:

It would be same on an (LUKS) encrypted system.
Once it is booted, everything is decrypted - just like on any “normal” running system.

To protect your personal files in that case - you have to encrypt them again
just like ecryptfs does (for instance)

1 Like
  1. Disable USB boot and lock the UEFI/BIOS with a password.
  2. Set a password for grub: GNU GRUB Manual 2.06

That should mitigate the problem.

1 Like

You want to also protect them from the other students who also use this computer? Block-device encryption (such as LUKS) technically won’t suffice; although it can protect the data if it is locked with a strong passphrase that must be entered up boot. (Protection against strangers and thieves.)

In your case, since you’re using KDE, you can install and use Plasma Vaults. It supports different encryption backends, and is designed to be user-friendly. You can manage, lock, and unlock your “vaults” at will using the GUI applets. No overhead nor inconvenience, compared to using “zips” and other older methods.

The package to install is named plasma-vault, and it will prompt you to also install one of three “optional” dependencies, if you don’t already have one or all of them installed: cryfs, gocryptfs, or encfs.

The applet can be placed in the tray and/or anywhere on the desktop screen.

1 Like

Thank you very much, I think eCryptfs might be what I’m looking for. I’m gonna read about it and try to use it. To have certain folders be decrypted automatically when I login would be ideal. I was also worried about my firefox profile being accessible, but If it encrypts my complete home folder, I believe it solves this problem too.

Thanks. I did consider this option. But, although I’m the one who has been maintaining that computer, it is not mine, and some other people in the lab should be able to maintain it as well, if needed, and not be forced to rely on me. So, the other people would need to know the passwords to the BIOS and Grub too, which would defeat the purpose.

Yes, that’s exactly what I want.

Plasma vaults seems like it could be a solution, i’ll try it. From the screenshot you gave, it reminds me of veracrypt, as in it create a file that can be mounted as a drive when I input a password (i’m guessing from the eject symbols, but I’m not sure). So I wonder if it will work well with syncthing, or if I will be able to synk my whole user folder.
Thanks again, your answer was very helpful.

An issue with encrypting your home folder, if root access is shared the system itself can be an attack vector. Any command for example ls or syncthing can be replaced by a trojan.

How about an encrypted partition with a full install on it?

Hello @holbot,

perhaps you could use systemd-homed which allows luks-encrypted home-directories. But its just an idea. I never used it myself.

Arch wiki for systemd-homed. :slightly_smiling_face:

1 Like

Ahh, that’s a good point. Hadn’t though about that. But I don’t really believe people in the lab would go that far to access eachother’s files. In any case, it’s good to keep in mind this vulnerability.