Encrypt home directory

The recommended way to encrypt your home directory on Fedora is to enable full-disk LUKS encryption during installation; for an existing system, fscrypt can encrypt specific directories without reinstalling.

You installed Fedora and forgot to encrypt

You installed Fedora six months ago and focused on getting your desktop environment and development tools working. You never checked the "Encrypt my data" box in the installer. Now you are traveling with your laptop and realize anyone with physical access can remove the drive, plug it into another machine, and read your files. Or perhaps you just want a secure vault for sensitive documents without wiping your system and reinstalling. You need encryption, but you are stuck with a running system.

What encryption actually does

Encryption transforms readable data into ciphertext that looks like random noise without the correct key. Fedora provides three paths depending on your timeline and risk tolerance. LUKS encrypts the block device, usually the entire disk, and requires a passphrase before the kernel can mount the filesystem. fscrypt encrypts individual directories at the filesystem level using keys linked to your login credentials. A LUKS container creates a file that acts like an encrypted disk inside your home directory, useful for portable storage.

LUKS is the gold standard for full protection against physical theft. fscrypt is the surgical tool for protecting specific folders on an existing system. Containers are for secrets you need to move between machines.

Choose the right tool

Use LUKS full-disk encryption when you are installing Fedora fresh and want maximum protection against physical theft. Use fscrypt when you need to encrypt specific directories on an existing system without reinstalling. Use a LUKS container when you want a portable encrypted file you can move between machines or store on a USB drive. Stay on the current setup if your data is already safe and you only need to lock the screen when walking away.

Verify existing LUKS encryption

If you are unsure whether your system is already encrypted, check the block devices. LUKS wraps the underlying partition, so the filesystem type will show as crypto_LUKS rather than ext4 or btrfs.

Here's how to check whether your disk is wrapped in LUKS and verify the active mappings.

# -o selects columns to display; look for FSTYPE crypto_LUKS
lsblk -o NAME,TYPE,FSTYPE,MOUNTPOINT

# checks if LUKS is active on mapped devices and shows key size
sudo cryptsetup status /dev/mapper/luks-*

If lsblk shows ext4 or btrfs directly on the partition, you do not have full-disk encryption. You can still use fscrypt or a LUKS container. If you see crypto_LUKS, your data is already protected. Reboot to test the passphrase. If you cannot unlock, you cannot recover.

Encrypt directories with fscrypt

fscrypt is the modern replacement for ecryptfs. It works at the filesystem level and supports ext4, f2fs, and btrfs. It links encryption policies to your login key, so directories unlock automatically when you log in, and you can lock them manually when needed.

Install and prepare fscrypt

First, install the utility. Then verify your filesystem supports the encryption feature. On ext4, the encrypt feature flag must be enabled. Enabling this flag often requires an unmounted filesystem, so you may need to boot from a live USB if the command fails on a mounted partition.

Here's how to install fscrypt and check the filesystem feature flags.

# installs the fscrypt utility and dependencies
sudo dnf install fscrypt

# lists filesystem features to verify encryption support
# replace /dev/sda2 with your root or home partition
tune2fs -l /dev/sda2 | grep 'Filesystem features'

If the output does not include encrypt, enable it. You will likely need to unmount the filesystem first. If this is your root partition, boot from a Fedora live USB, mount the partition to a temporary directory, and run the command there.

# enables the encryption feature flag on the filesystem
# this may fail if the filesystem is mounted read-write
sudo tune2fs -O encrypt /dev/sda2

Initialize and encrypt a directory

Once the feature is enabled, initialize fscrypt on the filesystem. This creates the policy database and links it to your user key. Then create the directory you want to protect and encrypt it.

Here's how to initialize fscrypt and bind a directory to your user key.

# initializes the policy database on the filesystem
sudo fscrypt setup

# creates the directory to protect
mkdir ~/secure_data

# creates a policy and binds the directory to your user key
# you will be prompted to choose a protection method
sudo fscrypt encrypt ~/secure_data --user=$(whoami)

Choose the protection method linked to your login passphrase. This is the easiest option for daily use. The directory is now encrypted. Files written to it are stored as ciphertext.

Lock and unlock the directory

You can lock the directory at any time. Locking removes the key from the kernel, making the data inaccessible until you unlock it again. This is useful when you step away from your desk but don't want to log out.

Here's how to lock, unlock, and check the status of an encrypted directory.

# locks the directory by removing the key from the kernel
fscrypt lock ~/secure_data

# unlocks the directory by prompting for the passphrase
fscrypt unlock ~/secure_data

# shows the policy ID and lock state
fscrypt status ~/secure_data

Lock the directory when you are done. An unlocked directory is just a normal folder with a bad attitude.

Create a portable LUKS container

A LUKS container is a file that contains an encrypted filesystem. You can create it anywhere, mount it when needed, and unmount it to hide the contents. This is ideal for a portable vault you can carry on a USB drive or sync to a backup server.

Create and format the container

Start by creating a file filled with random data. Using /dev/urandom ensures the file contains no patterns, which is a security best practice for encrypted volumes. Then format the file with LUKS and create a filesystem inside.

Here's how to create a 2 GB encrypted container and format it.

# creates a 2GB file filled with random data
# this takes time; use truncate for a faster sparse file if needed
dd if=/dev/urandom bs=1M count=2048 of=~/vault.img

# formats the file with a LUKS header and prompts for passphrase
sudo cryptsetup luksFormat ~/vault.img

# opens the LUKS device and maps it to /dev/mapper/myvault
sudo cryptsetup open ~/vault.img myvault

# creates an ext4 filesystem inside the decrypted mapping
sudo mkfs.ext4 /dev/mapper/myvault

Mount and use the container

Mount the mapped device to a directory. You can now read and write files normally. When you are finished, unmount and close the mapping to secure the data.

Here's how to mount the container, use it, and close it safely.

# creates a mount point
sudo mkdir -p /mnt/vault

# mounts the decrypted filesystem
sudo mount /dev/mapper/myvault /mnt/vault

# unmounts the filesystem
sudo umount /mnt/vault

# closes the LUKS mapping and removes the device node
sudo cryptsetup close myvault

Close the mapping before moving the file. An open device prevents safe removal and risks corruption.

Verify the encryption state

After setting up encryption, verify that everything is working as expected. For fscrypt, check the status of the directory. For LUKS containers, ensure the device is closed when not in use.

Here's how to confirm fscrypt is active and the directory is locked.

# shows the policy ID, protection type, and lock state
fscrypt status ~/secure_data

# lists active LUKS mappings to ensure containers are closed
sudo cryptsetup status

If fscrypt status shows Locked, the directory is secure. If it shows Unlocked, the key is loaded in the kernel. Run fscrypt status first. Read the actual state before guessing.

Common pitfalls and errors

Filesystem feature missing

If fscrypt encrypt fails with Error: filesystem does not support encryption, the encrypt feature flag is not enabled. Run tune2fs -O encrypt on the partition. You may need to boot from a live USB to enable the flag on a mounted root filesystem.

SELinux context issues

fscrypt generally preserves SELinux contexts. If you see access denied errors after encrypting a directory, restore the contexts.

# restores default SELinux contexts recursively
sudo restorecon -Rv ~/secure_data

Lost passphrase

A lost passphrase means permanent data loss. There is no backdoor. Back up your data before enabling encryption. For LUKS containers, you can add multiple keys using cryptsetup luksAddKey. For fscrypt, ensure your login passphrase is recoverable or use an external key file.

Sparse files and encryption

Using truncate to create a container file is faster than dd, but it creates a sparse file. Sparse files are fine for encryption, but some backup tools may not handle them correctly. If you plan to back up the container file, use dd to create a dense file.

Run journalctl -xe before guessing. The error message usually tells you exactly which feature flag is missing.

Where to go next

Podman is a tool for running containers, not for encrypting your computer's files. To protect your home directory, you need to encrypt the entire disk or partition using your operating system's built-in security features, like a locked safe for your whole house rather than just one room.