The home directory is plaintext
You installed Fedora on a laptop. You took it to a coffee shop. You realized too late that the drive is readable by anyone with a USB-C cable and a live USB. You want to encrypt your home directory now. You found a forum post suggesting useradd --encrypt. That command fails with useradd: invalid option -- 'e'. The flag does not exist. Fedora uses a different mechanism for file-level encryption.
The source of confusion is the difference between block encryption and file encryption. LUKS encrypts the block device. It protects the entire partition. Ecryptfs encrypts individual files and directories. It sits on top of the existing filesystem. Fedora uses Ecryptfs for home directory encryption. Ecryptfs integrates with PAM. The directory unlocks when you log in. The directory locks when you log out. You cannot encrypt a home directory while the user session is active. The files must be closed and unmounted. You need a second administrative account to perform the migration.
What is actually happening
Ecryptfs creates a stackable filesystem layer. Your real files live in an encrypted directory. A mount point exposes the decrypted view. The mount point is your home directory. When you log in, PAM triggers a script that mounts the encrypted directory. When you log out, PAM triggers a script that unmounts it. The encryption key is derived from your passphrase. The key is wrapped and stored in ~/.ecryptfs/wrapped-passphrase. If you lose the passphrase, the data is mathematically unrecoverable. There is no backdoor.
The migration process copies your existing files into the encrypted directory. It renames your old home directory to home.username. It creates the new mount point. It configures PAM to handle the mount automatically. The process requires root privileges. It requires the target user to be completely logged out. Any open files will cause the migration to fail.
Run journalctl -xe if the mount fails after reboot. The x flag adds explanatory text. The e flag jumps to the end. Most PAM errors show up there with a one-line summary. Read those before editing configuration files.
Create a second administrative user
You cannot migrate your own home directory. You need a second user with wheel privileges to run the migration script. If you already have a second user, skip this step. If you only have one user, you must create a second user before proceeding.
Here is how to create a temporary administrative account for the migration.
sudo useradd -m -G wheel -c "Migration Admin" -s /bin/bash admin
# -m creates the home directory for the new user
# -G wheel grants sudo privileges to the new user
# -c sets the comment field for identification
# -s sets the login shell to bash
sudo passwd admin
# Set a strong password for the admin account
Log out of your current session. Log in as the admin user. You must verify that the target user is not running any processes. The migration script will abort if it detects active sessions.
who
# List all currently logged-in users
ps -u your_username
# Check for any running processes owned by the target user
If ps returns any output, kill those processes or reboot. The target user must be completely inactive.
Run the migration script
Fedora ships the ecryptfs-utils package by default. The migration tool is ecryptfs-migrate-home. Run this command as root. The script guides you through the process. It asks for the new passphrase. It asks for the current password. It copies the files. It renames the old directory.
Here is the command to start the migration.
sudo ecryptfs-migrate-home -u your_username
# -u specifies the target user account to migrate
# sudo is required to modify /etc/shadow and mount namespaces
The script prompts for a new passphrase. This passphrase protects the encrypted files. It can be different from your login password. If you use the same password, you only need to remember one secret. If you use a different password, you must remember both. The script warns you about this.
The script asks for the current password of the target user. This verifies your identity. The script then copies the files. The copy process takes time. It depends on the size of your home directory. Do not interrupt the script. Interrupting the script can leave your home directory in an inconsistent state.
The script renames the old home directory to home.username. It creates the new home directory. It configures PAM. It prints a summary. It tells you to reboot.
Reboot before you debug. Half the time the symptom is gone.
Verify the encryption
After reboot, log in as the target user. Check that the files are readable. Check that the encryption is active. The .ecryptfs directory should exist in your home directory. The wrapped-passphrase file should be present.
Here is how to verify the encryption status.
ecryptfs-info
# Displays the mount status and key information for the current user
ls -la ~/.ecryptfs
# Lists the hidden encryption configuration directory
cat ~/.ecryptfs/wrapped-passphrase
# Shows the wrapped passphrase file (do not share this file)
The ecryptfs-info command outputs the mount point. It outputs the cipher. It outputs the key bytes. If the command fails, the mount is not active. Check journalctl -xe for PAM errors.
You can also check the underlying filesystem. The real files are stored in an encrypted directory. The path is usually ~/.ecryptfs/your_username/.ecryptfs/. The files there are unreadable without the key.
ls ~/.ecryptfs/your_username/.ecryptfs/
# Lists the encrypted files in the lower directory
file ~/.ecryptfs/your_username/.ecryptfs/important_doc.txt
# Shows that the file is data, not a readable text file
If the files are readable in the lower directory, the encryption is not working. Do not store sensitive data until you verify the encryption.
Common pitfalls and error messages
The migration fails if the target user is logged in. The script checks for active sessions. It aborts if it finds any. The error message is explicit.
Error: Target user is logged in. Please log out and try again.
You must log out completely. Close all terminals. Close all applications. Switch to the admin user. Run the script again.
The migration fails if you do not have root privileges. The script modifies system files. It requires sudo. The error message is standard.
Error: You must be root to run this command.
Run the command with sudo. Do not run the script as the target user. The script requires root to mount the filesystem and modify PAM configuration.
The migration fails if the disk is full. The script copies the files. It needs free space equal to the size of the home directory. Check the disk usage before starting.
df -h /home
# Check available space on the home partition
If the disk is full, delete unnecessary files. Clear the ~/.cache directory. Remove old downloads. Ensure there is enough space for the copy operation.
The mount fails after reboot if the PAM configuration is broken. This happens if you manually edited files in /etc/pam.d/. Never edit files in /usr/lib/pam.d/. Those files ship with the package. Edit files in /etc/pam.d/ only if you know what you are doing. Fedora uses authselect to manage PAM. Manual edits drift. Snapshots stay.
Check journalctl -xe for mount errors. Look for pam_ecryptfs messages. The logs show why the mount failed. Fix the configuration. Reboot.
When to use this vs alternatives
Use LUKS full-disk encryption when you are installing Fedora fresh and want zero-config transparency. LUKS encrypts the entire drive. It protects all data. It requires no user intervention after setup. It is the default option for portable machines.
Use Ecryptfs home encryption when you already have a running system and only need to protect user data. Ecryptfs encrypts the home directory. It leaves the system files unencrypted. It is easier to set up on an existing installation. It does not require a reinstall.
Use external encrypted volumes when you are moving sensitive data between machines and need portability. External volumes are independent of the system. You can mount them on any Linux machine. You can carry them on a USB drive. They do not depend on PAM or user accounts.
Stay unencrypted when you are on a trusted corporate network with strict physical security. Encryption adds overhead. It adds complexity. It adds risk of data loss if you forget the passphrase. If physical security is guaranteed, encryption is unnecessary.
Trust the package manager. Manual file edits drift, snapshots stay.