About a year ago, Yan Li, an engineer from Intel and the Gnome project, contributed an outstanding script to the eCryptfs project that simplifies this process considerably: ecryptfs-migrate-home.
At this point, I have tested this script thoroughly, and have used it to migrate several friends and family (as well as the rest of my own systems) to encrypted home directories.
The invocation is simple, however it does require root privileges:
# ecryptfs-migrate-home -u USER
This will setup the encrypted home directory for the USER and use rsync to do the migration. Critically important, USER must login before the next reboot to complete the migration. USER's randomly generated mount key is temporarily stored in memory until they login, and eCryptfs picks up the key and encrypts it with their mount passphrase.
The usual warnings apply ... Make a complete backup copy of the non-encrypted data to
another system or external media, just in case. Though unlikely, an unforeseen error could somehow result in data lost, or lock you out of your system. (I haven't seen that yet, though, but beware.)
Here's an example dialog with the utility:
$ sudo ecryptfs-migrate-home -u testuser INFO: Checking disk space, this may take a few moments. Please be patient. INFO: Checking for open files in /home/testuser ************************************************************************ YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION. ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME. ************************************************************************ Done configuring. INFO: Encrypted home has been set up, encrypting files now...this may take a while. ======================================================================== Some Important Notes! 1. The file encryption appears to have completed successfully, however, testuser MUST LOGIN IMMEDIATELY, _BEFORE_THE_NEXT_REBOOT_, TO COMPLETE THE MIGRATION!!! 2. If testuser can log in and read and write their files, then the migration is complete, and you should remove /home/testuser.W5LaceTJ. Otherwise, restore /home/testuser.W5LaceTJ back to /home/testuser. 3. testuser should also run 'ecryptfs-unwrap-passphrase' and record their randomly generated mount passphrase as soon as possible. 4. To ensure the integrity of all encrypted data on this system, you should also encrypted swap space with 'ecryptfs-setup-swap'. ========================================================================
$ sudo login testuser
Password:
$ mount | grep ecryptfs
/home/testuser/.Private on /home/testuser type ecryptfs (ecryptfs_sig=d9256e30b9034083,ecryptfs_fnek_sig=3a2c12c00d60accf,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)
Thanks again, Yan Li. Enjoy!
:-Dustin
What's the point of encrypting your home directory, when so much sensitive information gets leaked to /tmp and swap? I feel telling people to encrypt their home directory is giving them a false sense of security.
ReplyDeleteDo we have something special to do when we are using directories synchronised to Ubuntu One?
ReplyDelete@Filmm: The script recommends to use ecryptfs-setup-swap
ReplyDelete"~/.ecryptfs/wrapped-passphrase" was not there on initial login. It needed a reboot to appear. Which was very stressful. That was on Debian Squeeze. So when does wrapped passphrase is created?
ReplyDeleteThe ecryptfs-migrate-home command makes things much easier, but is there an equivalent command to reverse the process for someone who decides they don't want the home folder encrypted any more?
ReplyDeleteRe: so much sensitive information gets leaked to /tmp and swap?
ReplyDeleteHow about using Bleachbit for the first and ' sswap' for the latter?
Would that not be sufficient?
Any comments appreciated.
Does this work without any problems if the user's home directory is on an external drive and mounted at /home?
ReplyDelete> Re: so much sensitive information gets leaked to /tmp and swap?
ReplyDeleteRAM for the notebooks is cheap nowadays - I have 8GB, no swap file, /tmp and /var/tmp mounted on tmpfs...
Wow, about 1 year later...
ReplyDeleteUse cryptswap if you want to keep swap confidential. If you're really worried, encrypt the whole disk with truecrypt.
Hi..
ReplyDeleteI used this script to migrate to an encrypted home directory. However, when I try to login after the script finishes encrypting my home, I get the error "Could not update .ICEAuthority". The permissions to my newly encrypted directory are set to 500. Is this correct? Please help me out. Thank you for your time.
hello
ReplyDeletei thought this script would migrate from an existing encrypted home into another - but it does not.
i am trying to find out how i can use an existing Ubuntu encrypted $HOME in a fresh install of LMDE (LinuxMint Debian Edition).
they seem to use the same packages but have different $HOME structures.
any guidance that you could provide?
thanks,
good work!
ReplyDelete