How to use Ubuntu's encrypted home with linode
Ubuntu comes with a built-in option to encrypt your home directory, you just check a box when installing ubuntu or creating a new user. Files in your home directory are always encrypted before being written to disk, including swap (but I'm not sure about /tmp). When you login, a virtual filesystem containing a decrypted copy of your home directory is mounted (but this virtual filesystem doesn't actually exist on disk).
Here's how to use Ubuntu's encrypted home option from the command line on an ubuntu linode:
Linode initially creates a 'root' user. ssh into your linode as root and:
root@tagomi:~# aptitude install ecryptfs-utils
root@tagomi:~# adduser --encrypt-home newuser
Not totally sure whether that first command is necessary.
Warning: don't get adduser confused with the more low-level useradd command!
If you want newuser to be an "admin" user (i.e. to be able to run commands as root by using the sudo command) then after creating newuser with the adduser command above issue this second adduser command to add newuser to the admin group:
root@tagomi:~# adduser newuser admin
Now you can see that newuser's home is encrypted:
root@tagomi:~# ls /home/newuser/
Access-Your-Private-Data.desktop README.txt
If you ssh into your linode as root and then su to newuser it does not ask for newuser's password in order to su as them. Therefore, after you su newuser's home directory will not be decrypted:
root@tagomi:~# su newuser
keyctl_search: Required key not available
Perhaps try the interactive 'ecryptfs-mount-private'
newuser@tagomi:/root$ cd
newuser@tagomi:~$ ls
Access-Your-Private-Data.desktop README.txt
As it says you can run ecryptfs-mount-private and supply newuser's password to decrypt their home.
If you ssh to your linode directly as newuser then you'll be asked for newuser's password and their home directory will automatically be decrypted when you login.
Note that whenever you are logged in as newuser their home directory is decrypted. Try it: ssh to your linode as newuser, then open another terminal window on your local computer, ssh to your linode as root, and do ls -a /home/newuser. Root can see newuser's files when newuser is logged in. If newuser logs out and root tries to look in their home directory again, they will see that it's encrypted again. So if someone has access to your root account (or any other user account that has permission to read files in newuser's home directory) and they access it while newuser is logged in then they can access the files. It might be a good idea to use two-factor encryption with an encrypted ~/Private directory inside your encrypted home directory. Don't decrypt ~/Private whenever you're logged in, only briefly when you're using it.
One drawback is that cron jobs that need access to files in newuser's home directory will fail if newuser is not logged in when they run. I ended up creating another, non-encrypted user just to run some cron jobs.
Strangely, it seems that if you leave a tmux session running and close your ssh connection, your home directory is encrypted again as if you had logged out, although your tmux session is still running. If there is a program inside your tmux session that needs access to your files, it still seems to keep working! I'm not sure what's going on there.