Notes on Encrypted /home directory, post install.

I decided to encrypt the /home directory on a notebook, post install, as I was going to take it out of the house. There’s nothing too important on it, but I probably should look after my ssh keys at least! The laptop is a low end Dell, running Mint (based on Ubuntu). It has a slightly odd configuration in that I have the /home partition mounted separately.

OK, so the first thing I did was to copy the big files onto a separate, non-encrypted partition. I did this for two reasons. Firstly the encryption process creates a copy of your home directory which you can roll back to. This means in your /home partition you need enough room for two copies of your home dir. I didn’t. Secondly, the encryption process obviously encrypts each file as it goes. I thought by moving out the large files (Music and Videos directories basically), that this would speed up the encryption process.

Having made room, you need to log out of the account that you wish to encrypt. In my case this was the only account on the machine, so I needed to reboot into recovery mode (effectively becoming root). From instructions on the internet, apparently I then needed to simply run:

/usr/bin/ecryptfs-migrate-home -u username

However things, as they often are, weren’t that simple. First of all I got a message about not being able to find my user directory. Checking mount, I found this was because it wasn’t mounted, so a ‘mount /home’ fixed that. Then a message about not being able to write to /tmp. Then a message about mtab. Finally I put it all together. If you have separate partitions (including the /tmp one), you need to run the commands in this order.

mount -o remount,rw /                   # Remounts root filesystem so mtab can now be used
mount --all                             # Mounts everything needed /tmp, /home etc
/usr/bin/ecryptfs-migrate-home -u username

After whirring for a bit, it finished, but without the DIRE WARNING* that I was expecting about having to login as the user. I’d read this is absolutely vital as your files are encrypted with a temp key. I ran ‘login username’ from the command prompt. Nothing seemed to have happened. So I quit out of the root shell, selected Resume Normal Boot from the menu and when it rebooted logged in as normal. Everything looked OK, except I had to re-setup Dropbox. When I logged out, the /home/username directory was empty with a couple of placeholder files explaining what had happened. The encrypted files are in /home/.ecryptfs/username/.Private with obfuscated filenames. Sweet. The backup directory is in /home/username.U76ahOk7 and can be deleted when you’re convinced its all OK.

A note on filesystem speed.

It did seem a little slower when I logged in, so that’s perhaps the price you pay for security. But its a low end notebook. Here are the results copying a file to encrypted and non-encrypted partitions. You can see its about a third of the speed.

me@notebook:~$ time dd if=/dev/zero of=/non-encrypted-partition/deleteme.dat bs=1024 count=500000
500000+0 records in
500000+0 records out
512000000 bytes (512 MB) copied, 8.21647 s, 62.3 MB/s
real    0m8.764s
user    0m0.633s
sys    0m2.722s
me@notebook:~$ time dd if=/dev/zero of=/encrypted-home-dir/deleteme.dat bs=1024 count=500000
500000+0 records in
500000+0 records out
512000000 bytes (512 MB) copied, 27.4076 s, 18.7 MB/s
real    0m27.749s
user    0m0.709s
sys    0m25.741s

* The DIRE WARNING alluded to above is as follows:
Some Important Notes!

1. The file encryption appears to have completed successfully, however,
MUST LOGIN IMMEDIATELY, _BEFORE_THE_NEXT_REBOOT_,
TO COMPLETE THE MIGRATION!!!

2. If can log in and read and write their files, then the migration is complete,
and you should remove /home/.xyzeyzy
Otherwise, restore /home/.xyzeyzy back to /home/user.

3.  should also run ‘ecryptfs-unwrap-passphrase’ and record
their randomly generated mount passphrase as soon as possible.

4. To ensure the integrity of all encrypted data on this system, you
should also encrypted swap space with ‘ecryptfs-setup-swap’.

Leave a Comment