From the Canyon Edge -- :-Dustin

Wednesday, June 3, 2009

Migrating to an Encrypted Home Directory

UPDATE (2011-02-15): These manual instructions are no longer required, however, they may prove useful if you need to deviate from the norm.  You can now use the ecryptfs-migrate-home command.


Many eCryptfs and Ubuntu Jaunty users have requested instructions on migrating their existing, non-encrypted home directories to an Encrypted-Home setup. I have some instructions for you now!


  1. Make a complete backup copy of your non-encrypted data to another system or external media. Some of the following instructions are dangerous, could result in data lost, or lock you out of your system! Please read and follow all instructions very carefully.
  2. Make sure you have sufficient disk space available. To make a full copy, you will need at least 2x the disk usage of your current home directory. Assuming the copy succeeds and you have access to your encrypted data, you can recover some space by deleting the unencrypted data.
    du -sh $HOME
    df -h $HOME
  3. You must have administrator (sudo) privileges.
  4. You should install ecryptfs-utils
    sudo apt-get install ecryptfs-utils

  5. These instructions require an empty $HOME/Private directory. If you already have some data in your $HOME/Private directory, please move all of these files and directories out of the way, and follow the instructions in:
    ecryptfs-setup-private --undo


Exit all desktop sessions. You need to ensure that there are no other processes on your system reading and/or writing data in your home directory. Perform all of the following instructions by logging in via SSH or at a tty terminal (ctrl-alt-F1).

Login and setup an Encrypted Private directory:

Logout, and log back in and make sure $HOME/Private is mounted.
mount | grep "$USER.*ecryptfs"

Use rsync to copy all data from your home directory to your new Encrypted Private directory. If you have a large home directory, this step might take a very long time. Be very wary of any errors at this point. This is the most essential step in this migration scheme. I usually re-run this step 3 times.
rsync -aP --exclude=.Private --exclude=Private \
--exclude=.ecryptfs $HOME/ $HOME/Private/

Sync to disk, unmount, logout, and log back in.
sync && sync && sync

Setup your eCryptfs configuration directory.
cd /
sudo mkdir -p /home/.ecryptfs/$USER
sudo chown $USER:$USER /home/.ecryptfs/$USER
mv $HOME/.ecryptfs /home/.ecryptfs/$USER/
mv $HOME/.Private /home/.ecryptfs/$USER/
sudo chmod 700 /home/.ecryptfs/$USER/.Private
sudo chmod 700 /home/.ecryptfs/$USER/.ecryptfs

Setup your new, unmounted home directory.
sudo mkdir -p -m 700 /home/$
sudo chown $USER:$USER /home/$
ln -sf /home/.ecryptfs/$USER/.ecryptfs \
ln -sf /home/.ecryptfs/$USER/.Private \

Move your old, unencrypted home directory out of the way.
sudo mv $HOME $HOME.old

"Activate" your new, unmounted home directory by renaming it.
sudo mv /home/$ $HOME
echo $HOME > $HOME/.ecryptfs/Private.mnt
ln -sf \
/usr/share/ecryptfs-utils/ecryptfs-mount-private.txt \
sudo chmod 500 $HOME

Logout, and log back in. Ensure that $HOME is mounted, and that you have a symlink to your configuration directory.
mount | grep "$USER.*ecryptfs"
ln -sf /home/.ecryptfs/$USER/.ecryptfs \
ln -sf /home/.ecryptfs/$USER/.Private \

Check all of your home directory data. Ensure that everything is in order. Once you are completely confident that the migration worked, you can reclaim some disk space by removing your old, non-encrypted data.
sudo rm -rf $HOME.old


If you are a shred-minded-individual, you will need to backup your cleartext data, shred your disk, and reinstall from scratch.