Ubuntu – How to mount an encrypted /home directory on another Ubuntu machine


I've done something a bit, well, strange. I installed Ubuntu 12.04 directly onto a USB thumb stick, encrypting the /home directory as given the option during the install. The filesystem is btrfs, I believe.

I've now stuck this into my computer running Ubuntu, and I'd like to copy a file onto the USB stick. How can I go about mounting the encrypted home directory so I can copy files to it?

Best Answer

NB: This answer is correct, but another - newer and faster - way exists requiring only a single step with ecryptfs-recover-private. Make sure to check all answers below.

To get access to the data on your stick and to copy files onto it you need to mount the eCryptfs. This involves several steps:

First you should insert your stick. If Ubuntu doesn't mount it automatically (It usually does.), you should mount it.

Now you should find a directory called .Private. If you did a default installation, this directory should sit in /media/DISK/home/.ecryptfs/USERNAME/.Private. In this example DISK is the directory where your stick is mounted and USERNAME is the name of the user you entered at installation. If you can't find it yourself open a terminal and enter

sudo find /media -type d -name .Private

I assume in the following steps that the directory is in /media/DISK/home/.ecryptfs/USERNAME/.Private.

You need the mount password. This is different from your login pasword. Enter the following command into a terminal:

ecryptfs-unwrap-passphrase /media/DISK/home/.ecryptfs/USERNAME/.ecryptfs/wrapped-passphrase

You have to enter the login password from the installation of your USB-Ubuntu (not your usual password). The command outputs a passphrase. Write this down or copy it into a file.

The password enables you to unlock the directory. You need to do it in two steps:

> sudo ecryptfs-add-passphrase --fnek
Inserted auth tok with sig [123456789abcdef0] into the user session keyring
> sudo mount -t ecryptfs /media/DISK/home/.ecryptfs/USERNAME/.Private /media/myUSB

The first command adds your passphrase to the kernel keyring and the second tries to mount your .Private to the directory /media/myUSB. If the latte doesn't exist, you have to create it first:

sudo mkdir /media/myUSB

The mount command will ask again for the login password. Next it will ask for a bunch of stuff.

  • Accept the default cipher and key size values (aes and 16).
  • Type n for plaintext passthrough.
  • Type y for filename encryption.
  • The last thing is the FileName Encryption Key (FNEK). Look at the output of the ecryptfs-add-passphrase --fnek command you just typed. There are two lines starting with Inserted auth tok …. Insert the value in square brackets of the second output (123456789abcdef0).

Now you can access the files in /media/myUSB and can copy from and to the directory or subdirectories.

A large part of my description is from "Live CD method of opening a encrypted home directory".