Ubuntu’s Encrypted Home Directory: A Canonical Approach to Data Privacy

How can users protect themselves from the loss of important data when a computer goes missing? Well, the latest release of Ubuntu makes this not only possible, but frighteningly easy!

When the user logs into their Ubuntu 9.10 system with an Encrypted Home Directory, their system password is used to decrypt a strong, randomly generated mount passphrase. This design allows them to change their system password, while eCryptfs simply re-wraps the mount passphrase without needing to re-encrypt all of the home directory contents.

The decrypted mount passphrase is then hashed using SHA-512 (Secure Hashing Algorithm) to generate the fekek and fnek. These two keys are then loaded into the user’s session keyring. The Linux kernel uses the fnek to encrypt and decrypt file and directory names. The kernel then applies the fekek to file headers in order to extract and insert each file’s unique fek. Finally, the kernel uses the fek to encrypt and decrypt file contents. While eCryptfs supports several of the cryptographic ciphers available in the Linux kernel, Ubuntu setups use AES-128 (Advanced Encryption Standard) by default.

The additional CPU time required to handle this encryption and decryption is often less than the obligatory I/O (input/output) latency of modern hard disk and solid state drives. In some performance testing, the impact of Encrypted Private Directories was less than 2% for common workloads. This is generally not noticeable at run time, but might add roughly a second or so to the login process while setting up the encrypted mount point.

Ubuntu 9.10 Desktop Installation

At step 6 of 8 in of the Ubuntu installer dialogue, there will be a new third radio button offering an option to “Require a password to log in and decrypt your home folder”.


Ubuntu 9.10 Server and Alternate Installations

In the curses based Ubuntu Server and Alternate installers, an informative prompt will offer home directory encryption to the installing user:


Ubuntu 9.10 Post Installation

It is absolutely critical that users immediately install all Ubuntu security updates following an installation, and keep your system up to date!

It is also essential that the user records their randomly generated mount passphrase. Write it down, print it out, escrow it to a trusted server or service, store in your safety deposit box. This key, rather than your system log in password, is absolutely required if you need to restore your data from backup or migrate your data elsewhere.

On the first boot of a new Ubuntu Desktop installation, the user will be prompted to record their mount passphrase.


On Ubuntu Server installations without a graphical interface, users will need to manually extract and record their mount passphrase using the following command:

ecryptfs-unwrap-passphrase $HOME/wrapped-passphrase

Ubuntu 9.10 Running Systems

New users can be added to running Ubuntu 9.10 systems, with an Encrypted Home Directory, by using the following command:

sudo adduser –encrypt-home foo

Ubuntu 9.10 Live Migration to an Encrypted Home Directory

In most cases, it is possible to convert an existing user’s home directory to an Encrypted Home Directory.

To be safe, a complete backup copy of the presently non-encrypted data should first be made to another system or external media. It is possible that the migration process might result in data loss or lock the user out of the system, if things go wrong.

Ensure that there is sufficient disk space available to perform the backup. To make a full copy, aim for a little more than double the current disk usage of the home directory. Assuming the copy and encryption succeeds with complete access to the now encrypted data, you can later recover that space by deleting the backed up unencrypted data.

Check the usage of the home directory via the following commands:

du -sh $HOME
df -h $HOME

These instructions require administrator (sudo) access. Also, any existing $HOME/Private directory must be empty. If there is already some data in the $HOME/Private directory, move all of these files and directories out of the way and then follow the instructions displayed after running:

ecryptfs-setup-private --undo

Exit all desktop sessions. Ensure that there are no other processes on the system reading and/or writing data to that specific home directory. Perform all of the following instructions by logging in as the user through SSH (Secure Shell) or at a TTY terminal (Ctrl-Alt-F1):


Next, log out and log back in to ensure that $HOME/Private is mounted:

mount | grep "$USER.*ecryptfs"

The result of that mount command should display the mounted directory. Next, use a tool such as rsync to copy all the data from the home directory to the new Encrypted Private Directory. If the home directory is large, this step might take a long time. Be very wary of any errors at this point. This is the most essential step in these instructions as all data must come across correctly. It is a good idea to re-run this rsync command a few times:

rsync -aP --exclude=.Private --exclude=Private --exclude=.ecryptfs \
$HOME/ $HOME/Private/

Synchronize the changes to disk, unmount, log out:


Now, log back in and setup the eCryptfs configuration directory:

cd /
sudo mkdir -p /home/.ecryptfs/$USER
sudo mv $HOME/.ecryptfs /home/.ecryptfs/$USER

Setup the new, unmounted home directory:

sudo mkdir -p -m 700 /home/$USER.new
sudo chown $USER:$USER /home/$USER.new
sudo mv $HOME/.Private /home/.ecryptfs/$USER
sudo ln -s /home/.ecryptfs/$USER/.ecryptfs /home/$USER.new/.ecryptfs

Move the backup of the old, unencrypted home directory out of the way:

sudo mv $HOME $HOME.old

“Activate” the new, unmounted home directory by renaming it:

sudo mv /home/$USER.new $HOME
echo $HOME > $HOME/.ecryptfs/Private.mnt
sudo ln -s /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt \
sudo chmod 500 $HOME

Logout, and log back in. Ensure that $HOME is mounted, and that there is a symbolic link to the configuration directory:

mount | grep "$USER.*ecryptfs"
ln -s /home/.ecryptfs/$USER/.ecryptfs $HOME/.ecryptfs

Carefully check all of the home directory data, ensuring that everything is in order. Once you are completely confident that the migration worked, reclaim some disk space by removing the backup of the old, non-encrypted data:

rm -rf $HOME.old

If any of the above steps fail, installing Ubuntu 9.10 from scratch and enabling the Encrypted Home Directory option might be easiest. Then afterwards, simple copy the data from the unencrypted backup into the new user’s home (make sure that the backup is on external media, or if not, then ensure that the partition containing it is not formatted during installation!).

Remote Backups of Encrypted Data

Limitless network data storage is among the prominent features of Cloud Computing services, such as Ubuntu One. Data privacy in the Cloud, however, is a concern of many Cloud customers. eCryptfs provides an interesting advantage to Cloud storage users. Encrypted Home Directory users can conveniently and incrementally synchronize the encrypted contents of their $HOME/.Private directory to remote storage and rest assured that no other user, intruder, or even administrator of the remote Cloud storage can access the decrypted contents.

Data Recovery

Comments on "Ubuntu’s Encrypted Home Directory: A Canonical Approach to Data Privacy"

Here is an excellent Blog You might Find Fascinating that we encourage you to visit.

It is usually a statement or two identifying why the project is being created. This is where dating advice tips can come in handy.How to Become Successful: The Four Blueprint Success Questions.Here is my web-site – best weight loss Plan

Check beneath, are some totally unrelated sites to ours, however, they’re most trustworthy sources that we use.

Below you will uncover the link to some sites that we believe you ought to visit.

Usually posts some quite interesting stuff like this. If you?re new to this site.

Very couple of web sites that transpire to be comprehensive below, from our point of view are undoubtedly nicely worth checking out.

Here are some of the internet sites we recommend for our visitors.

Although sites we backlink to beneath are considerably not associated to ours, we really feel they’re basically really worth a go via, so possess a look.

That will be the finish of this report. Right here you?ll find some web sites that we assume you?ll enjoy, just click the links.

The time to study or stop by the content material or sites we’ve linked to beneath.

Below you?ll discover the link to some web sites that we feel you ought to visit.

We came across a cool website that you may well get pleasure from. Take a search in the event you want.

Every once inside a while we choose blogs that we study. Listed below are the most current sites that we pick.

We like to honor a lot of other online internet sites on the web, even though they aren?t linked to us, by linking to them. Underneath are some webpages worth checking out.

One of our guests recently recommended the following website.

Just beneath, are a lot of completely not connected web-sites to ours, even so, they may be surely worth going over.

Please check out the sites we follow, like this one, because it represents our picks through the web.

We came across a cool web page that you just could possibly love. Take a appear in the event you want.

Here are a number of the internet sites we recommend for our visitors.

Had so much trouble with our previous SEO company we hired,been reading up on it in my spare time and next time I will employ someone in-house to do itDo you participate in any social sites?

One of our visitors not long ago advised the following website.

Below you will locate the link to some internet sites that we feel you’ll want to visit.

Usually posts some extremely intriguing stuff like this. If you?re new to this site.

Here are several of the sites we recommend for our visitors.

Below you will locate the link to some websites that we assume you should visit.

We came across a cool web page that you may well get pleasure from. Take a appear when you want.

The facts mentioned within the article are several of the ideal offered.

That could be the end of this post. Here you will come across some internet sites that we feel you will value, just click the hyperlinks.

Wonderful story, reckoned we could combine a few unrelated data, nonetheless genuinely really worth taking a search, whoa did 1 understand about Mid East has got extra problerms also.

Always a significant fan of linking to bloggers that I enjoy but do not get a lot of link love from.

The time to read or pay a visit to the subject material or internet sites we’ve linked to beneath.

Every once in a when we opt for blogs that we read. Listed beneath are the most current websites that we decide on.

Here is a good Blog You might Discover Interesting that we encourage you to visit.

The info talked about within the write-up are some of the top available.

We came across a cool site that you may possibly take pleasure in. Take a appear when you want.

I truly appreciate this blog.Thanks Again. Cool.

Leave a Reply