Configure ssh server with encrypted home directory

The following instructions are to set up an ssh server on Ubuntu linux with an encrypted home directory. Throughout username refers to an actual username like phil.

Install OpenSSH server:

sudo apt-get install openssh-server 

Configure sshd_config (NOT ssh_config, note the d) to initially accept password logins, after creating a backup:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults
sudo chmod a-w /etc/ssh/sshd_config.factory-defaults
sudo gedit /etc/ssh/sshd_config

Change the line #PasswordAuthentication yes to read PasswordAuthentication yes (i.e. remove the #) and only allow certain users:

PasswordAuthentication yes
AllowUsers username

Finally tell the configuration file to look in /etc/ssh/username/authorized_keys for client keys. The default is to look in ~/.ssh/ which is no good because this is encrypted until you’ve logged in!

AuthorizedKeysFile    /etc/ssh/%u/authorized_keys

Restart the ssh server with:

sudo service ssh restart

Next create the authorized_keys file and give it the appropriate permissions:

sudo mkdir /etc/ssh/username/
sudo chown username /etc/ssh/username
sudo chmod 755 /etc/ssh/username
sudo touch /etc/ssh/username/authorized_keys
sudo chown username /etc/ssh/username/authorized_keys
sudo chmod 644 /etc/ssh/username/authorized_keys

Then copy the client’s public key to authorized_keys. The easiest way to do that is to ssh in to the server (which is why we allowed password logins earlier) and do it from there. So from the client:

nano ~/.ssh/

Copy the key to the clipboard then:


Enter log in password when prompted, then:

nano /etc/ssh/username/authorized_keys  # Paste the key here and save

Then logout:


Disable password logins from /etc/ssh/sshd_config and restart the ssh server (sudo service ssh restart from the server). Log in is now done using the ssh keys and without prompting for a password. The client will prompt to see if the public key fingerprint sent from the server is correct and to add it to the white list. Check it’s right by running ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key on the server.