From the Canyon Edge -- :-Dustin

Tuesday, February 15, 2011

A Long Overdue Introduction: ecryptfs-migrate-home

One of my most popular (by number hits) posts on eCryptfs is the one on Migrating to An Encrypted Home Directory.  This post contains a lengthy set of instructions when, if followed correctly, allows you to migrate to an encrypted home directory.

About a year ago, Yan Li, an engineer from Intel and the Gnome project, contributed an outstanding script to the eCryptfs project that simplifies this process considerably: ecryptfs-migrate-home.

At this point, I have tested this script thoroughly, and have used it to migrate several friends and family (as well as the rest of my own systems) to encrypted home directories.

The invocation is simple, however it does require root privileges:

 # ecryptfs-migrate-home -u USER

This will setup the encrypted home directory for the USER and use rsync to do the migration.  Critically important, USER must login before the next reboot to complete the migration.  USER's randomly generated mount key is temporarily stored in memory until they login, and eCryptfs picks up the key and encrypts it with their mount passphrase.

The usual warnings apply ... Make a complete backup copy of the non-encrypted data to
another system or external media, just in case.  Though unlikely, an unforeseen error could somehow result in data lost, or lock you out of your system.  (I haven't seen that yet, though, but beware.)

Here's an example dialog with the utility:

$ sudo ecryptfs-migrate-home -u testuser
INFO:  Checking disk space, this may take a few moments.  Please be patient.
INFO:  Checking for open files in /home/testuser

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************


Done configuring.

INFO:  Encrypted home has been set up, encrypting files now...this may take a while.

========================================================================
Some Important Notes!

 1. The file encryption appears to have completed successfully, however,
    testuser MUST LOGIN IMMEDIATELY, _BEFORE_THE_NEXT_REBOOT_,
    TO COMPLETE THE MIGRATION!!!

 2. If testuser can log in and read and write their files, then the migration is complete,
    and you should remove /home/testuser.W5LaceTJ.
    Otherwise, restore /home/testuser.W5LaceTJ back to /home/testuser.

 3. testuser should also run 'ecryptfs-unwrap-passphrase' and record
    their randomly generated mount passphrase as soon as possible.

 4. To ensure the integrity of all encrypted data on this system, you
    should also encrypted swap space with 'ecryptfs-setup-swap'.
========================================================================
 
$ sudo login testuser
Password:
$ mount | grep ecryptfs
/home/testuser/.Private on /home/testuser type ecryptfs (ecryptfs_sig=d9256e30b9034083,ecryptfs_fnek_sig=3a2c12c00d60accf,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)


Thanks again, Yan Li.  Enjoy!
:-Dustin

12 comments:

  1. What's the point of encrypting your home directory, when so much sensitive information gets leaked to /tmp and swap? I feel telling people to encrypt their home directory is giving them a false sense of security.

    ReplyDelete
  2. Do we have something special to do when we are using directories synchronised to Ubuntu One?

    ReplyDelete
  3. @Filmm: The script recommends to use ecryptfs-setup-swap

    ReplyDelete
  4. "~/.ecryptfs/wrapped-passphrase" was not there on initial login. It needed a reboot to appear. Which was very stressful. That was on Debian Squeeze. So when does wrapped passphrase is created?

    ReplyDelete
  5. The ecryptfs-migrate-home command makes things much easier, but is there an equivalent command to reverse the process for someone who decides they don't want the home folder encrypted any more?

    ReplyDelete
  6. Re: so much sensitive information gets leaked to /tmp and swap?

    How about using Bleachbit for the first and ' sswap' for the latter?

    Would that not be sufficient?
    Any comments appreciated.

    ReplyDelete
  7. Does this work without any problems if the user's home directory is on an external drive and mounted at /home?

    ReplyDelete
  8. > Re: so much sensitive information gets leaked to /tmp and swap?

    RAM for the notebooks is cheap nowadays - I have 8GB, no swap file, /tmp and /var/tmp mounted on tmpfs...

    ReplyDelete
  9. Wow, about 1 year later...

    Use cryptswap if you want to keep swap confidential. If you're really worried, encrypt the whole disk with truecrypt.

    ReplyDelete
  10. Hi..
    I used this script to migrate to an encrypted home directory. However, when I try to login after the script finishes encrypting my home, I get the error "Could not update .ICEAuthority". The permissions to my newly encrypted directory are set to 500. Is this correct? Please help me out. Thank you for your time.

    ReplyDelete
  11. hello

    i thought this script would migrate from an existing encrypted home into another - but it does not.

    i am trying to find out how i can use an existing Ubuntu encrypted $HOME in a fresh install of LMDE (LinuxMint Debian Edition).

    they seem to use the same packages but have different $HOME structures.

    any guidance that you could provide?

    thanks,

    ReplyDelete

Please do not use blog comments for support requests! Blog comments do not scale well to this effect.

Instead, please use Launchpad for Bugs and StackExchange for Questions.
* bugs.launchpad.net
* stackexchange.com

Thanks,
:-Dustin

Printfriendly