README


home
@j4cob

HOWTO Encrypt an existing home directory on Ubuntu Karmic Koala

08 Dec 2009

Karmic Koala, the latest release of Ubuntu, made it really easy for new installs to use encryption for home directories.  However, for users who upgraded from previous releases (Jaunty Jackalope, Intrepid Ibex, etc), the process to encrypt an existing home directory is not so obvious.  Here’s one way to do it.

You’ll need enough free space for two copies of your entire home directory. If you don’t have that, first move your existing home directory onto external media, and modify these instructions as appropriate.

First, log out of your normal account, which we’ll term myrealusername. Login as root. Create a new, temporary user, using the –encrypt-home flag to adduser.  Use the same password as your current user account.

# adduser –encrypt-home tmpuser

************************

YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.

ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase

THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.

************************

Done configuring.

Enter new UNIX password: USE YOUR EXISTING PASSWORD

Retype new UNIX password:

No password supplied

Enter new UNIX password:

Retype new UNIX password:

passwd: password updated successfully

Changing the user information for tmpuser

Enter the new value, or press ENTER for the default

Full Name []:

Room Number []:

Work Phone []:

Home Phone []:

Other []:

Is the information correct? [Y/n]

When you ran ‘adduser’, it created two important directories: /home/.ecryptfs/tmpuser/.Private and /home/.ecryptfs/tmpuser/.ecryptfs. These are both symlinked into a skeleton home directory at /home/tmpuser. I say skeleton here, because the directory so created is only ever visible when ‘tmpuser’ is logged out. Once ‘tmpuser’ is logged in, the contents of /home/.ecryptfs/tmpuser/.Private are decrypted and mounted on top of /home/tmpuser. We want the same thing to happen for myrealusername. Before we put the skeleton directory in place, however, we want to move your existing, unencrypted home aside. That way when you log in with an encrypted home it isn’t hidden and we’re able to copy files into your new, encrypted home.

# mv /home/

myrealusername /home/myrealusername.orig

Now you want to copy these skeleton files to /home/.ecryptfs/myrealusername and change the ownership:

# REALUSER=

myrealusername

# cd /home

# mkdir -m 0700 $REALUSER

# cp -r .ecryptfs/tmpuser .ecryptfs/$REALUSER

# chown -R $REALUSER.$REALUSER .ecryptfs/$REALUSER $REALUSER

# ln -s /home/.ecryptfs/$REALUSER/.* $REALUSER/

You also need to edit a mount description file which still refers to ‘tmpuser’:

# sed -i s/tmpuser/$REALUSER/ .ecryptfs/$REALUSER/.ecryptfs/Private.mnt

Just for good measure we’ll copy the two informational symlinks from the skeleton directory. These are handy because if they show up when you’re logged in, you know something went wrong and you’re not accessing your encrypted home dir.

# cp tmpuser/* $REALUSER/

# chown $REALUSER.$REALUSER $REALUSER/*

At this point, you’re ready to log in as myrealusername. Go ahead. I’ll wait.

Got it? You should have a mostly empty home directory. If you have a file named Access-Your-Private-Data.desktop, something went wrong.

If all’s well, copy your original home directory into the new, encrypted home directory. It’s best to do this as root, on the off chance you have some files in your home dir which you don’t own, but want to preserve exactly. You may be tempted to do this as an ‘mv’ if you’re low on disk space. That should work just the same, but it won’t actually unlink the original until *everything* is copied, meaning you still need enough space for two copies of your home dir. In a pinch you could move one subdirectory at a time, which means you don’t need as much spare space.

Note the trailing slashes on the rsync – those are important.

myrealusername$ su

# rsync -av /home/myrealusername.orig/ /home/myrealusername/

Bingo! Your home directory is now encrypted. Once you’re satisfied that everything is there, don’t forget to remove your original, unencrypted home. To be tidy you may want to delete the ‘tmpuser’ account too.

# rm -rf /home/

myrealusername.orig

# userdel -r tmpuser