Ubuntu – How to mount an encrypted /home directory on another Ubuntu machine

12.04decryptionecryptfsencryptionusb-drive

I've done something a bit, well, strange. I installed Ubuntu 12.04 directly onto a USB thumb stick, encrypting the /home directory as given the option during the install. The filesystem is btrfs, I believe.

I've now stuck this into my computer running Ubuntu, and I'd like to copy a file onto the USB stick. How can I go about mounting the encrypted home directory so I can copy files to it?

Best Answer

NB: This answer is correct, but another - newer and faster - way exists requiring only a single step with ecryptfs-recover-private. Make sure to check all answers below.

To get access to the data on your stick and to copy files onto it you need to mount the eCryptfs. This involves several steps:

First you should insert your stick. If Ubuntu doesn't mount it automatically (It usually does.), you should mount it.

Now you should find a directory called .Private. If you did a default installation, this directory should sit in /media/DISK/home/.ecryptfs/USERNAME/.Private. In this example DISK is the directory where your stick is mounted and USERNAME is the name of the user you entered at installation. If you can't find it yourself open a terminal and enter

sudo find /media -type d -name .Private

I assume in the following steps that the directory is in /media/DISK/home/.ecryptfs/USERNAME/.Private.

You need the mount password. This is different from your login pasword. Enter the following command into a terminal:

ecryptfs-unwrap-passphrase /media/DISK/home/.ecryptfs/USERNAME/.ecryptfs/wrapped-passphrase

You have to enter the login password from the installation of your USB-Ubuntu (not your usual password). The command outputs a passphrase. Write this down or copy it into a file.

The password enables you to unlock the directory. You need to do it in two steps:

> sudo ecryptfs-add-passphrase --fnek
Inserted auth tok with sig [123456789abcdef0] into the user session keyring
> sudo mount -t ecryptfs /media/DISK/home/.ecryptfs/USERNAME/.Private /media/myUSB

The first command adds your passphrase to the kernel keyring and the second tries to mount your .Private to the directory /media/myUSB. If the latte doesn't exist, you have to create it first:

sudo mkdir /media/myUSB

The mount command will ask again for the login password. Next it will ask for a bunch of stuff.

Accept the default cipher and key size values (aes and 16).
Type n for plaintext passthrough.
Type y for filename encryption.
The last thing is the FileName Encryption Key (FNEK). Look at the output of the ecryptfs-add-passphrase --fnek command you just typed. There are two lines starting with Inserted auth tok …. Insert the value in square brackets of the second output (123456789abcdef0).

Now you can access the files in /media/myUSB and can copy from and to the directory or subdirectories.

A large part of my description is from "Live CD method of opening a encrypted home directory".

Related Solutions

Ubuntu – use ecryptfs for Ubuntu One with an already encrypted home directory

As already stated ecryptfs is not a solution for my problem as my home folder is already encrypted by ecryptfs. Moving the "Ubuntu One" folder out of the home tree isn't a solution either as then the rest of the "Ubuntu One" content isn't encrypted anymore.

I've decided to use EncFS instead. Setting up en encrypted folder is pretty simple. But how to get it mounted automatically so applications can use it to store config files? There are some solutions:

pam_mount
gnome-encfs
autofs
afuse

I don't like idea 1 because I don't want to use the same password for EncFS as my login password.

Solution 2 I don't like on one hand because there's no apt package available for Ubuntu and on the other hand I don't want to have the EncFS folder only mounted just after logging in. If something fails or it the folder gets unmounted every subsequent access will fail.

Solution 3 just doesn't work. I've been using autofs for quite some time to mount CIFS shares and folders through sshfs but EncFS is just not supported. I've played around with several scripts to mount EncFS by autofs but that became too complex and error-prone.

So what I'm currently using is solution 4. Afuse is available as an apt package. Afuse automatically mounts the EncFS folder as soon the folder is accessed and unmounts it again after some idle time.

Here are the quick steps how to set everything up (maybe I add some details in future):

install afuse
create the "Ubuntu One" folder to store the encrypted content

Example:

~/Ubuntu\ One/.encrypted

create a folder as a top folder for afuse to mount folders within

Example:

~/.fuse

create some helper scripts
create an autostart entry in Gnome to launch afuse

The unencrypted EncFS folder gets mounted underneath ~/.fuse. In my case the folder with the unencrypted content is named U1Enc, therefore all data stays in ~/.fuse/U1Enc. For my convenience I created a link from ~/U1Enc to ~/.fuse/U1Enc to get there easier.

The ideas and helper scripts I found on several web sites. Here come the links:

Automounting FUSE filesystems
autofs: encfs over sshfs

I use the following scripts:

~/.afuse-fstab

U1Enc  encfs --ondemand --idle=5 --extpass="/home/xxx/.creds/U1.encfs.sh" /home/xxx/Ubuntu\ One/.encrypted %m

~/.creds/U1.encfs.sh (marked as executable and only accessable by the user themself)

#!/bin/sh
echo PASSWORD_FOR_ENCFS_IN_CLEARTEXT

~/bin/afuse-handler.pl (marked as executable and with ~/bin in $PATH)

#!/usr/bin/perl -w

$fstab="$ENV{HOME}/.afuse-fstab";
$afusedir=$ARGV[0];
$afuse_mountpoint=$ARGV[1];

print "afusedir:$afusedir\n";
print "afuse_mountpoint:$afuse_mountpoint\n";

system("logger -t afuse 1:$ARGV[0] 2:$ARGV[1]");

open(FSTAB, $fstab ) or die("Can not open afuse-fstab at $fstab\n");
while( <FSTAB> ) {
        if( /^$afusedir/ ) {
                s/[^\s\/]+[\s]*//;
                s/%r/$afusedir/g;
                s/%m/$afuse_mountpoint/g;
                chomp;
                $cmd = $_;
                print "$cmd\n";
                system($_) == 0
                        or die "execution of FUSE filesystem failed!\n"
                             . "command:$cmd\n"
                             . "reason:$?\n";
        }
}

and finally ~/bin/afuse.start.sh (marked again as executable) which I registered with Gnome/System/Settings to start afuse after log in

#!/bin/sh
afuse -o mount_template="/home/xxx/bin/afuse-handler.pl %r %m" -o unmount_template="fusermount -u -z %m" ~/.fuse

The last script launches afuse which starts the afuse-handler to mount the EncFS folder underneath ~/.fuse as soon it gets accessed. The afuse.handler itself checks the .afuse-fstab how to mount the folder. The EncFS password is echoed out by U1.encfs.sh so no user intervention is needed (as this file is stored in my home folder it get's encrypted by ecryptfs so I don't see there a big security issue).

Take care of different EncFS versions. On Natty currently EncFS version 1.7.4 gets installed. That doesn't play well with an older 1.6 version on Maverick. I had to update EncFS on Maverick to 1.7.4 as well (done this by pinning apt/preferences).

Ubuntu – Recovering data from Private in an ecryptfs backup when the new home is also encrypted

The best way to recover is by using the ecryptfs-recover-private utility from a LiveISO.

I say that because this will ensure that your recovery happens in a safe, repeatable, read-only environment.

That said, you certainly can run ecryptfs-recover-private on a running system. But I'd strongly recommend that you log out all instances of the user you're trying to recover, and then login as root or some other user.

Best Answer

Related Solutions

Ubuntu – use ecryptfs for Ubuntu One with an already encrypted home directory

Ubuntu – Recovering data from Private in an ecryptfs backup when the new home is also encrypted

Related Question