Ecrypfts to LUKS on ext4 partition

encryption dropbox ecryptfs luks
6,067

Find if you have eCryptfs

Open a terminal by pressing Ctrl+Alt+T and enter:

df --type=ecryptfs

If you see an output like:

Filesystem                     1K-blocks Used      Available  Use%   Mounted on
/home/.ecryptfs/$USER/.Private 415321024 214784192 179416628   55%   /home/$USER

Then you have your home folder encrypted by eCryptfs.

Background

LUKS encryption and eCryptfs work differently.

First, eCryptfs encrypts the /home/$USER folder, the LUKS works at the partition level.

Second, the encrypted /home/$USER folder is unlocked when the $USER logs in. The LUKS partition encryption would ask for a passphrase every time you boot the computer. Once the /home partition is unlocked you will be able to login to your account with your login password as usual. That is, you will need to use two passwords. If your computer has other users, their "Home" folders will be encrypted as well. Thus all users of the computer must know the LUKS passphrase if they need to turn on the computer and use it in your absence. There is a way to save the passphrase in a file and let LUKS automatically unlock the partition at boot time, but that is not safe.

Third, your computer has only one partition / (plus the swap), as is the case with most Ubuntu installation. There is no easy way to LUKS encrypt this single partition installation of Ubuntu. If you want to keep the single partition setup, you may want to backup your data and reinstall Ubuntu. While installing, select the full disk encryption option.

Finally, BACKUP! BACKUP!! BACKUP!!! The steps described below are very very risky. It is likely that you will lose all the data, or your Ubuntu installation will become unbootable.

Step 1: Create a new partition for /home

Step 1.1: Boot from live CD/USB

Use the try Ubuntu without installing option.

Step 1.2: Identify the disks

Open Gparted. I prefer Gparted because it is visual and let me "see" the drives and partitions. Click on the top right drop down and see the list of drives. Go through the list and identify the drives you want to work with, by their size and partition structure. You want to identify the / partition in your internal hard drive you want to shrink.

enter image description here

Step 1.3: Shrink

Make sure you have selected the internal disk.

Select the / partition you want to shrink.

Drag the right edge of the partition leftward to resize/move to make room for the new /home partition. Create as much room as you want your new /home partition to be.

Press the "Apply" button in Gparted and wait.

If all goes well go to the next step. If you get an error, stop!

enter image description here

Step 1.4 Create New partition

Right click on the unallocated space you created and select new. You will see the "Create New Partition" window. Make sure the file system says "ext4" and you can keep the rest as is.

enter image description here

Press the "Apply" button in Gparted and wait.

If all goes well go to the next step. If you get an error, stop!

Step 1.5 Reboot computer to internal hard disk

Step 2: Encrypt the new partition

Step 2.1 Find the identifying information about the new partition

Open a terminal by pressing Ctrl+Alt+T and enter:

sudo blkid

You will be prompted for your password. When you type the password nothing will show on the terminal. This is normal.

Copy and paste the output in a text file. Note the UUID as well as the partition name like /dev/nvme0pX, where X is a number for the new partition.

Step 2.2 LUKS encrypt!

sudo cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/nvme0pX

You will be prompted to enter a passphrase. This is passphrase will be needed every time you boot the computer to unlock the /home partition. Do not leave it blank.

The next two commands open the encrypted partition and format it to make it ready for data storage.

sudo cryptsetup luksOpen /dev/nvme0pX home
sudo mkfs.ext4 -m 0 /dev/mapper/home

Step 3 Temporarily mount and copy contents of /home

Create a new folder to make it the temporary mount point of the encrypted partition

sudo mkdir /newhome

Mount the encrypted partition to newhome

sudo mount /dev/mapper/home /newhome

Make sure your "Home" folder is accessible. If you have multiple users with encrypted home folders for each of them, make sure the "Home" folders are accessible.

Copy original home to newhome

sudo cp -a /home/* /newhome

Make sure all your files are copied to the newhome and you can see them.

Remove the bits of old encryption system copied in the newhome

sudo rm -rf /newhome/username/Private /newhome/username/.ecryptfs

where username is your username. If you have multiple users in this computer with encrypted "Home" folders, you will have to do this for all users.

Step 4: Setup your newhome as home

Edit the file /etc/crypttab

sudo nano /etc/crypttab

Add the line below making sure the UUID corresponds to /dev/nvme0pX:

home UUID=AAA-BBB-CCC-DDDD-EEEEEEEE none luks,timeout=30

Press Ctrl+X followd by Y and Enter to save and exit nano.

Edit /etc/fstab with nano

sudo nano /etc/fstab

and add the following line:

/dev/mapper/home  /home ext4 nodev,nosuid,noatime        0       2

Press Ctrl+X followd by Y and Enter to save and exit nano.

Do not reboot your computer yet!

Step 5: Remove the old encrypted home and old encryption program

sudo rm -rf /home/*
sudo apt remove ecryptfs-utils libecryptfs1

Note the old /home folder should remain and be empty as this will be used as the mountpoint of the encrypted partition.

Step 6: Reboot

You will be prompted for your home partition passphrase before you can login.

Hope this helps

Share:
6,067

Related videos on Youtube

tomrozb
Author by

tomrozb

Android, Flutter, GCP, Blockchain

Updated on September 18, 2022

Comments

  • tomrozb
    tomrozb over 1 year

    My home directory is encrypted using Ecrypfts (AFAIK). I'm using dropbox service running in the background that syncs local files with the cloud. Starting November '18 dropbox will only support ext4 partitions with LUKS encryption.

    I'd like to switch from Ecrypfts to LUKS. Here's the output of blkid.

     /dev/nvme0n1p6: UUID="b49f5039-2524-4e7a-ba28-96f935367c7e" TYPE="ext4" PARTUUID="9124511d-c89a-4944-b346-c1f30a98801d"
 /dev/nvme0n1p7: UUID="e26b7783-5a36-4855-8a30-56bb21e4d310" TYPE="swap" PARTUUID="25ab9b40-5886-4a0a-b631-fced0caa0869"
 /dev/mapper/cryptswap1: UUID="f442df5d-5420-48f5-966a-d3d264ab9bfa" TYPE="swap"

    I haven't found any articles how to do that. Is there a safe way to switch between those two encryption types?

    EDIT:

    /etc/crypttab

    cryptswap1 UUID=e26b7783-5a36-4855-8a30-56bb21e4d310 /dev/urandom swap,offset=1024,cipher=aes-xts-plain64

    ls -l /dev/mapper

    crw------- 1 root root 10, 236 Aug 26 11:18 control
lrwxrwxrwx 1 root root       7 Aug 26 11:18 cryptswap1 -> ../dm-0
    • tomrozb
      tomrozb over 5 years
      @user68186 I don't think so. How can I check what type of encryption is used?
    • user68186
      user68186 over 5 years
      The last entry of the blkid output tells me you may be using LUKS (or LUKS type) encryption for your swap partition. Please check and post the contents of /etc/crypttab file in your question. It may contain a line (or two) similar to the one I ask to add to this file in my answer. It should the matter if the swap partition is already encrypted. The answer should still work.
    • user68186
      user68186 over 5 years
      Alternately you can use the command ls -l /dev/mapper to list the "mapped" partitions. Note, if there is only one entry named "control" then you don't have any mapped partition.
    • tomrozb
      tomrozb over 5 years
      @user68186 question updated with the outputs. I assume it means it isn't LUKS, because I don't have any mapped partitions
    • user68186
      user68186 over 5 years
      It looks like your swap partition may be encrypted. If so you will see the reference to /dev/mapper/cryptswap1 or it's UUID in the /etc/fstab. That should not affect this change as long as you add to the existing files.
  • tomrozb
    tomrozb over 5 years
    Could you please add info from your removed comments on how to check if I'm really using ecryptfs right now? I haven't had a chance to check that yet. Thank!
  • BlandCorporation
    BlandCorporation over 5 years
    @tomrozb df -T
  • user68186
    user68186 over 5 years
    @tomrozb I have added how to check if you are using eCryptfs. Thanks @BlandCorporation!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Suspend to RAM and encrypted partitions
How to remove LUKS encryption?
"No key available with this passphrase" with a newly-created DM-CRYPT / LUKS partition
How do I move/home folder to a luks encrypted external drive?
Won't boot (drop to busybox) after kernel upgrade (with encrypted disks)
"Guided - use entire disk and set up encrypted LVM" LUKS or plain dm-crypt?
How to recover ecryptfs encrypted data using password after a broken upgrade?
Dual Ubuntu Installations with Whole Disk Encryption
How do I get Grub2 to boot a Truecrypt-encrypted MBR?
LUKS hdd encryption: Maximum maximum password length?