# Encrypting home on a system already in use



## nielsk (Feb 1, 2018)

I set up my FreeBSD-desktop nearly a year ago but with unencrypted disks (please don't ask…).
Now I am in the need to encrypt at least the home directory of my user. What would be the best way to do that without reinstalling my system?
I have two disks in one zpool-mirror taking up the whole disk.
Is the only way to create a file that is a geli-container, mount that into a home-directory, then rsync my current home-directory and then rename the two (old one to something like /home/user.old; new one to /home/user)? Or is there a better way?
How would I mount it at boot time, or better after the user logs in (btw. I am using gdm)?


----------



## sko (Feb 1, 2018)

I'm using PEFS for encrypted home directories on my laptop. It works at file-level, so it can be retrofitted on any filesystem and on already installed systems and also won't interfere with classical (file level) backup solutions as there is no hidden metadata. This way home directories can be backed up without encrytpting them first.
A PAM module is also available, so it can be easily hooked into PAM decryption at login.


----------

