Moving your ecryptfs directory between machines

On Ubuntu there is an option to create an encrypted directory in your home directory called ~/.Private, which is mounted at ~/Private. To set this up you need to issue two commands:

 sudo apt-get install ecryptfs-utils
 ecryptfs-setup-private

It asks you for a mount password. Log out and log back in again and everything you drop in the Private directory is encrypted and stored in the .Private directory, so that no-one can access your files if, for example, they log in to the machine in Single user mode, or take the hard disk out. So far so good.

But what happens when you move your encrypted files to a different machine? The instructions on this weren’t so clear, so I’m just writing down a step-by-step approach to help others who are unsure.

You need to copy two directories from your old machine to  your new one: ~/.ecryptfs and ~/.Private. Here’s how ecryptfs works: It takes the mount password, and encrypts it with your login password. It stores this in ~/.ecryptfs/wrapped-passphrase, so now when you login wit h your password, it can automatically mount the directory.

OK so to set up your new machine you need a) your old login password, b) your new login password and c) the mount password.

If you don’t know the last of these you can find it out. Assuming you put the files in the correct place on your new machine, do this.

ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase

Enter  your OLD login password and it will reveal the mount password. So now we need to run the setup on the new machine, using the NEW login password and the same MOUNT password. But we’ll need to empty the .Private directory first, and use the –force option. Here goes.

 mv .Private .PrivateOld
 ecryptfs-setup-private --force
       => Enter MOUNT passphrase
 mv .PrivateOld/* .Private/

OK, so now you just logout and login again, and its all good. You did keep a backup right? Yes, I thought so.


Leave a Comment