UPDATE (2011-02-15): These manual instructions are no longer required, however, they may prove useful if you need to deviate from the norm. You can now use the ecryptfs-migrate-home command.
Many eCryptfs and Ubuntu Jaunty users have requested instructions on migrating their existing, non-encrypted home directories to an Encrypted-Home setup. I have some instructions for you now!
- Make a complete backup copy of your non-encrypted data to another system or external media. Some of the following instructions are dangerous, could result in data lost, or lock you out of your system! Please read and follow all instructions very carefully.
- Make sure you have sufficient disk space available. To make a full copy, you will need at least 2x the disk usage of your current home directory. Assuming the copy succeeds and you have access to your encrypted data, you can recover some space by deleting the unencrypted data.
du -sh $HOME df -h $HOME
- You must have administrator (sudo) privileges.
- You should install ecryptfs-utils
sudo apt-get install ecryptfs-utils
- These instructions require an empty $HOME/Private directory. If you already have some data in your $HOME/Private directory, please move all of these files and directories out of the way, and follow the instructions in:
Exit all desktop sessions. You need to ensure that there are no other processes on your system reading and/or writing data in your home directory. Perform all of the following instructions by logging in via SSH or at a tty terminal (ctrl-alt-F1).
Login and setup an Encrypted Private directory:
Logout, and log back in and make sure $HOME/Private is mounted.
exit login mount | grep "$USER.*ecryptfs"
Use rsync to copy all data from your home directory to your new Encrypted Private directory. If you have a large home directory, this step might take a very long time. Be very wary of any errors at this point. This is the most essential step in this migration scheme. I usually re-run this step 3 times.
rsync -aP --exclude=.Private --exclude=Private \ --exclude=.ecryptfs $HOME/ $HOME/Private/
Sync to disk, unmount, logout, and log back in.
sync && sync && sync ecryptfs-umount-private exit login
Setup your eCryptfs configuration directory.
ecryptfs-umount-private cd / sudo mkdir -p /home/.ecryptfs/$USER sudo chown $USER:$USER /home/.ecryptfs/$USER mv $HOME/.ecryptfs /home/.ecryptfs/$USER/ mv $HOME/.Private /home/.ecryptfs/$USER/ sudo chmod 700 /home/.ecryptfs/$USER/.Private sudo chmod 700 /home/.ecryptfs/$USER/.ecryptfs
Setup your new, unmounted home directory.
sudo mkdir -p -m 700 /home/$USER.new sudo chown $USER:$USER /home/$USER.new ln -sf /home/.ecryptfs/$USER/.ecryptfs \ /home/$USER.new/.ecryptfs ln -sf /home/.ecryptfs/$USER/.Private \ /home/$USER.new/.Private
Move your old, unencrypted home directory out of the way.
sudo mv $HOME $HOME.old
"Activate" your new, unmounted home directory by renaming it.
sudo mv /home/$USER.new $HOME echo $HOME > $HOME/.ecryptfs/Private.mnt ln -sf \ /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt \ $HOME/README.txt sudo chmod 500 $HOME
Logout, and log back in. Ensure that $HOME is mounted, and that you have a symlink to your configuration directory.
exit login mount | grep "$USER.*ecryptfs" ln -sf /home/.ecryptfs/$USER/.ecryptfs \ /home/$USER/.ecryptfs ln -sf /home/.ecryptfs/$USER/.Private \ /home/$USER/.Private
Check all of your home directory data. Ensure that everything is in order. Once you are completely confident that the migration worked, you can reclaim some disk space by removing your old, non-encrypted data.
sudo rm -rf $HOME.old
If you are a shred-minded-individual, you will need to backup your cleartext data, shred your disk, and reinstall from scratch.