From the Canyon Edge -- :-Dustin

Tuesday, February 15, 2011

A Long Overdue Introduction: ecryptfs-migrate-home

One of my most popular (by number hits) posts on eCryptfs is the one on Migrating to An Encrypted Home Directory.  This post contains a lengthy set of instructions when, if followed correctly, allows you to migrate to an encrypted home directory.

About a year ago, Yan Li, an engineer from Intel and the Gnome project, contributed an outstanding script to the eCryptfs project that simplifies this process considerably: ecryptfs-migrate-home.

At this point, I have tested this script thoroughly, and have used it to migrate several friends and family (as well as the rest of my own systems) to encrypted home directories.

The invocation is simple, however it does require root privileges:

 # ecryptfs-migrate-home -u USER

This will setup the encrypted home directory for the USER and use rsync to do the migration.  Critically important, USER must login before the next reboot to complete the migration.  USER's randomly generated mount key is temporarily stored in memory until they login, and eCryptfs picks up the key and encrypts it with their mount passphrase.

The usual warnings apply ... Make a complete backup copy of the non-encrypted data to
another system or external media, just in case.  Though unlikely, an unforeseen error could somehow result in data lost, or lock you out of your system.  (I haven't seen that yet, though, but beware.)

Here's an example dialog with the utility:

$ sudo ecryptfs-migrate-home -u testuser
INFO:  Checking disk space, this may take a few moments.  Please be patient.
INFO:  Checking for open files in /home/testuser

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************


Done configuring.

INFO:  Encrypted home has been set up, encrypting files now...this may take a while.

========================================================================
Some Important Notes!

 1. The file encryption appears to have completed successfully, however,
    testuser MUST LOGIN IMMEDIATELY, _BEFORE_THE_NEXT_REBOOT_,
    TO COMPLETE THE MIGRATION!!!

 2. If testuser can log in and read and write their files, then the migration is complete,
    and you should remove /home/testuser.W5LaceTJ.
    Otherwise, restore /home/testuser.W5LaceTJ back to /home/testuser.

 3. testuser should also run 'ecryptfs-unwrap-passphrase' and record
    their randomly generated mount passphrase as soon as possible.

 4. To ensure the integrity of all encrypted data on this system, you
    should also encrypted swap space with 'ecryptfs-setup-swap'.
========================================================================
 
$ sudo login testuser
Password:
$ mount | grep ecryptfs
/home/testuser/.Private on /home/testuser type ecryptfs (ecryptfs_sig=d9256e30b9034083,ecryptfs_fnek_sig=3a2c12c00d60accf,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)


Thanks again, Yan Li.  Enjoy!
:-Dustin