From the Canyon Edge -- :-Dustin

Thursday, August 6, 2009

Moving your Encrypted Home Meta Data out of /var/lib/ecryptfs

In the spirit of the FHS, Encrypted Home Directories in Ubuntu 9.04 stored certain configuration information about your Encrypted Home setup in /var/lib/ecryptfs.
However "correct" this location might be, it has caused considerable pain to a number of users, mostly because people don't backup /var/lib, generally. That said, it is totally possible to re-generate all of the information in your /var/lib/ecryptfs directory if you recorded your all-important mount passphrase.

In any case, this is not the most user-friendly place to store this information.

Thus, in Karmic, we are using /home/.ecryptfs instead of /var/lib/ecryptfs. Each user encrypting their home directory will have a a directory in /home/.ecryptfs/$USER which will contain the "real" .ecryptfs and .Private directories.

This provides a couple of advantages.

First, your /home directory is completely self-contained. You can backup that entire hierarchy and save all of the data necessary (excepting your secret passphrase, of course). Actually, many users make /home a separate partition.

Secondly, having access to /home/.ecryptfs/$USER/.Private means that you can much more easily perform backups of your encrypted data. This feature has been requested many, many times.

You can actually take advantage of this same configuration in Ubuntu 9.04, if you follow the guide below. I recommend doing so ;-)

As always, you should log out of all desktop sessions, and perform these instructions from a tty terminal, or an ssh session.

#!/bin/sh -e

# Move out of your home directory
cd /

# If your encrypted home is not mounted, try to mount it
grep -qs " $HOME ecryptfs " /proc/mounts || ecryptfs-mount-private

# With root privilege, create a /home/.ecryptfs/$USER directory
sudo mkdir -p /home/.ecryptfs/$USER

# Make sure $USER owns that
sudo chown $USER:$USER /home/.ecryptfs/$USER

# Rename your /var/lib/ecryptfs/$USER dir to the new location
sudo mv -f /var/lib/ecryptfs/$USER /home/.ecryptfs/$USER/.ecryptfs

# Remove the two symlinks in your mounted home, to .ecryptfs and .Private
rm -f $HOME/.ecryptfs $HOME/.Private

# Establish links to these two dirs
ln -sf /home/.ecryptfs/$USER/.ecryptfs $HOME/.ecryptfs
ln -sf /home/.ecryptfs/$USER/.Private $HOME/.Private

# Unmount home
while ecryptfs-umount-private | grep "Sessions still open"; do

# Make your unmounted home writable (briefly)
sudo chmod 700 $HOME

# Move the *real* .Private directory to the new location
mv -f $HOME/.Private /home/.ecryptfs/$USER/

# Remove the .ecryptfs and .Private links
rm -f $HOME/.ecryptfs $HOME/.Private

# Re-establish the .ecryptfs and .Private links
ln -sf /home/.ecryptfs/$USER/.ecryptfs $HOME/.ecryptfs
ln -sf /home/.ecryptfs/$USER/.Private $HOME/.Private

# Mount your home directory again



  1. Great. This is a real improvement! Thanks for this.

  2. Hi Dustin, thanks for this post.
    Could you please explain the above block of commands for Ubuntu 9.04 users a bit? More specifically, I do not have a ~/.Private as long as my encrypted home folder is mounted. So some of the commands will not do anything. Is this okay?
    Sorry for being chicken-hearted, but I do not want to brake my by now perfect setup.
    Thanks again, Kevin.

  3. @Kevin-

    Done. See inline comments.


  4. Great, thanks! I nearly got it. Still, there is no $HOME/.Private in my encrypted home while mounted. Should it be there? (I installed my 9.04 with the "encrypt home folder flag" enabled in the installer as you show in an earlier post. Everything worked fine for months now...)
    Regards, Kevin.

  5. After running ecryptfs-setup-private I found I had to run "pam-auth-update --force" to get ecryptfs to automount (to get it into the /etc/pam.d/* config files).

    Running pam-auth-update by itself complained that there were local modifications to /etc/pam.d/common-* so I had to use --force ... I can't quite remember but I may have been monkeying around with pam.d trying to get my finger print reader to work a long time ago...

  6. Hi dustin, i have been playing around with my ubuntu setup and did some init.d scripting ... and this is where my problem with ecryptfs popps up.

    I loaded /bin /sbin /etc /var /lib /lib32 into an
    ramdisk (tmpfs) then I squashed my /usr and loaded that into an ramdisk too and also used aufs to make it writeble. The init script kicks in right after "mounting local filesystems" (update-rc.d start 35 S .)This all works very nice ... if i shutdown my pc everything is synched to disk....

    Then i started to do what i did to my /usr dir to my /home dir too ... everything works but my /home directory is still encrypted and i can't decrypt it anymore. Even if i do the steps in ecryptfs-mount-private manualy. There is no error message which could give me an hint. So maybe you can help me here a bit...

    Thanks in advance ... chriss

  7. Chriss-

    I'm sorry, but blog comments are not the most efficient mechanism for troubleshooting this sort of problem. For better support, please ask a question or file a bug in Launchpad, or as for some help in the Ubuntu Forums.


  8. It's Quite interesting information. Thanks for valuable information.


Please do not use blog comments for support requests! Blog comments do not scale well to this effect.

Instead, please use Launchpad for Bugs and StackExchange for Questions.