Ubuntu – Install Ubuntu 14.04 LTS with an already existing encrypted home

12.0414.04ecryptfshome-directorymount

The issue is to upgrade a Ubuntu system mounted with an encrypted home (on a seperated partition) which then cannot be decrypted/mounted with the exact same passphrase on a new fresh installed Ubuntu. This question has already been answered but "solved" (?) in a "non-deterministic" way in 602360/345970. I cannot afford keeping reinstalling Ubuntu again and again…

I currently have a Ubuntu 12.04 that I cannot upgrade (via do-release-upgrade) due to package errors. Hence, I decided to make a fresh install of latest LTS Ubuntu 14.04. The system / directory (~50GB) is mounted on sda6 and yet the encrypted home /home is on sda7 (~145GB). I formatted and installed the new Ubuntu on sda6 and specified sda7 to be considered as a mount-point for /home.

After the install asked for a login/password (which I entered as the exact same as previous installs), I tried to log in. However, there appears that Ubuntu cannot decrypt/mount my data and shows the following

Signature not found in user keyring Perhaps try the interactive 'ecryptfs-mount-private'

Morevoer, when I try ecryptfs-mount-private, it asks for the login passphrase which I correctly entered for a dozen times but an error appears claiming that the password is incorrect. I rolled back to Ubuntu 12.04 with a partition backup and checked again that the password was indeed correct.

Hereafter, I discuss related issues that are not relevant to this one or left unanswered:

115497/345970: ecryptfs-mount-private is not an appropriate solution. Even if, my data is correctly decrypted, it requires me to allocate twice + 3/5 of the current home directory space disk to first decrypt and copy and then re-encrypt.
129906/345970: Issue not answered but possibly the same (up to operating system version)
182078/345970: Not related to the question of re-installing an operating system.
286828/345970: Same issue but remained unaswered.
341302/345970: My login passphrase is the same as the UNIX user password. Different issue.
476037/345970: I'm not using LVM. In any case, that question was left unanswered.
485625/345970: I'm not using different user login names.
584656/345970: Same issue. No appropriate answer.
602360/345970: As said earlier, "solved" in a random/non-deterministic way, by re-installing again and again Ubuntu until reaching a match.

Best Answer

It is really simpler than you think. All you have to do is that when installing the Ubuntu, you will see a page in the installation wizard called user settings. There you will fill up your system password and usernames. So down there you can see a check box says Encrypt my Home folder also All you have to do is that to check mark it and proceed as usual. It is easy to do.

Related Solutions

Ubuntu – Recovering data from Private in an ecryptfs backup when the new home is also encrypted

The best way to recover is by using the ecryptfs-recover-private utility from a LiveISO.

I say that because this will ensure that your recovery happens in a safe, repeatable, read-only environment.

That said, you certainly can run ecryptfs-recover-private on a running system. But I'd strongly recommend that you log out all instances of the user you're trying to recover, and then login as root or some other user.

Ubuntu – How to regain access to the encrypted home directory after changing the password

If you're using ecryptfs (it's the standard way to encrypt home folders, so probably are) then when you changed your user password you lost automatic access to your encrypted home (as you discovered). That should not have happened with most regular ways to change your password (like passwd), they're supposed to use PAM to update the encryption automatically (but not if an administrator changes/resets the password, or it wouldn't be secure).

ecryptfs actually recommends that you keep a backup copy of the actual passphrase it uses (it's not your login passphrase, but it is encrypted or "wrapped" with your login passphrase) just in case something happens to the wrapped passphrase file you're referring to.

But using ecryptfs-unwrap-passphrase you should be able to find out the actual ecryptfs passphrase.

Using ecryptfs-rewrap-passphrase you could use your old user passphrase to "unwrap" the ecryptfs passphrase, then "re-wrap" it it with your new user passphrase. Here's a clip from it's man page:

NAME
   ecryptfs-rewrap-passphrase - unwrap an eCryptfs wrapped passphrase, re‐
   wrap it with a new passphrase, and write it back to file.

SYNOPSIS
   ecryptfs-rewrap-passphrase [file]

   printf "%s\n%s" "old wrapping passphrase" "new wrapping  passphrase"  |
   ecryptfs-rewrap-passphrase [file] -

But I'd make a backup copy of any files before running that on them. (ps. you don't need to use the printf... format, it works just running ecryptfs-rewrap-passphrase [file] if you don't mind typing the passphrases).

And you could run ecryptfs-recover-private to just mount any ecryptfs encrypted private folders it finds, then backup/copy, etc.

See man ecryptfs and the man pages for all the ecryptfs-... tools for some more info. And archlinux's wiki has some pretty good info at https://wiki.archlinux.org/index.php/ECryptfs

Best Answer

Related Solutions

Ubuntu – Recovering data from Private in an ecryptfs backup when the new home is also encrypted

Ubuntu – How to regain access to the encrypted home directory after changing the password

Related Question