eCryptfs

Steps to upgrade from a Private folder to a fully-encrypted Home folder

Asked by Aaron Whitehouse

Hello,

I'm wanting to upgrade my system from 9.10 with a Private (ecryptfs) directory to 10.04 with a completely encrypted home directory. I would rather not copy everything in my Private directory to somewhere else and back again, so I'm hoping to do the following:
(1) rename my existing home directory;
(2) install 10.04 and choose the "encrypt entire home directory" option;
(3) mount my previous (9.10) ecryptfs Private folder in my 10.04 install; and
(4) copy everything across.

Firstly, will this work. Secondly, is there anything that I need to keep aside from the 9.10 .ecryptfs folder? Finally, what specifically do I need to do to do (3)?

Thanks in advance -- it would be great to get your thoughts soon so that I can know before I do the upgrade (and don't lose anything necessary)!

Question information

Language:
English Edit question
Status:
Solved
For:
eCryptfs Edit question
Assignee:
No assignee Edit question
Solved by:
Aaron Whitehouse
Solved:
Last query:
Last reply:
Revision history for this message
Aaron Whitehouse (aaron-whitehouse) said : 		#1

http://linux.die.net/man/8/mount.ecryptfs doesn't say what you need in order to mount the folder and http://ecryptfs.sourceforge.net/ecryptfs-faq.html did not answer my question.

Revision history for this message
Aaron Whitehouse (aaron-whitehouse) said : 		#2

https://help.ubuntu.com/community/EncryptedPrivateDirectory#Recovering%20Your%20Data%20Manually and
https://help.ubuntu.com/community/EncryptedPrivateDirectory#Recovering%20Your%20Mount%20Passphrase
sound like they should get me there, but it would be great if somebody could please confirm that this should work without me keeping any other files.

Revision history for this message
Dustin Kirkland  (kirkland) said : 		#3

http://blog.dustinkirkland.com/2009/06/migrating-to-encrypted-home-directory.html

Revision history for this message
Aaron Whitehouse (aaron-whitehouse) said : 		#4

Thanks Dustin.

I ended up doing the following (before I received your reply):

$ ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
Passphrase: [login password]
5c3b1399817e91f9885ab270e0901b37

$ sudo mv aaron aaron_old

[Install new setup with fully-encrypted Home]

$ sudo ecryptfs-add-passphrase --fnek
[sudo] password for aaron:
Passphrase: 5c3b1399817e91f9885ab270e0901b37
Inserted auth tok with sig [71eef11283bac350] into the user session keyring
Inserted auth tok with sig [af4d27e1d68c70f8] into the user session keyring

$ sudo mount -t ecryptfs /home/aaron_old/.Private /home/aaron_old/Private
Passphrase: 5c3b1399817e91f9885ab270e0901b37
Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]:
Select key bytes:
 1) 16
 2) 32
 3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [71eef11283bac350]: af4d27e1d68c70f8
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=af4d27e1d68c70f8
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=71eef11283bac350
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [71eef11283bac350] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : no
Not adding sig to user sig cache file; continuing with mount.
Mounted eCryptfs

[Copy over all the files]

$ sudo umount /home/aaron_old/Private

Thanks for your help!