Pages

Tuesday, January 11, 2011

Ubuntu 10 remove encryption from home directory

     I just installed Ubuntu 10.10 (great choice!). One nice feature that can be enabled at install time is to encrypt your home directory. Full details about this and usage in this wiki.  Anyway, encrypting the whole home folder introduced very small delays and I decided to keep my home unencrypted, but atill have a Private folder there that will be encrypted.  The steps to achieve this (if you already have your whole home encrypted):

  • You should not be logged on the system. One way to do this is to start Ubuntu in recovery-mode, and chose root prompt. That will drop you at # prompt. 
  • Your account should not be mounted (and it isn't if yo used the root prompt). Btw, when logged in, if you use 'T' flag at df ( $df -hT )  you can see the type of your home partition as ecryptfs,  mounted in /home/username.
  • Create a new folder that can be used lated as a new encrypted private folder, within your home (mkdir /home/username/Private
  • chown username.username /home/username/Private
  • Now modify in the file /home/.ecryptfs/username/.ecryptfs/Private.mnt the new encrypted path, (/home/username/Private)
  • Switch from root to username (#su - username)
  • Mount private encrypted files, by running the wrapper script ecryptfs-mount-private.  This will prompt for the username password. Now your private encrypted home folder will be mounted under the new specified path, /home/username/Private
  • Synchronize that with your /home/username: $cd ~/Private; rsync -av ./ /home/username/   
  • Exit ( $exit ) the shell where you're logged in as username and #reboot from root prompt.
  • After restart check that all the files are there, in your /home/username, unencrypted.
  • The content of the ~/Private can be deleted now. This folder can be further used as a storage for encrypted files
To check that files created in ~/Private are really encrypted:
  • create a secret file there
  • verify (with $df -T) the type of the filesystem mounted under /home/username/Private. It should be ecryptfs.
  • if you log in as another user, (or as root at the root prompt from rescue mode) you won't be able to mount it..
Very nice thing to make this feature really easy to use and document it
GG! 

Posted by Liviu at
Labels: ,

1 comment:

  1. AnonymousAugust 1, 2011 at 11:20 AM

    This does not work for me. After the reboot I get the following error "Could not update ICEauthority file /home/user/.ICEauthority"
    As I cloned my drive prior to trying this I lost no data but something seems to be wrong with this process. I tried it several times.
    Does the mount need to be changed back to the user prior to rebooting vs the /Private

    ReplyDelete

Subscribe to: Post Comments (Atom)