How do I mount an encrypted /home directory on another Ubuntu machine?
You can use ecryptfs-recover-private
.
ecryptfs-recover-private /media/<UUID>/home/.ecryptfs/<USERNAME>/.Private
It will promt for the mount password, unlock the wrapped-passphrase and mount the directory in read only mode under /tmp/
with just single command. Use the flag --rw
to mount the encrypted filesystem as read and write.
You can check the man page for more information.
NB: This answer is correct, but another - newer and faster - way exists requiring only a single step with ecryptfs-recover-private
. Make sure to check all answers below.
To get access to the data on your stick and to copy files onto it you need to mount the eCryptfs. This involves several steps:
First you should insert your stick. If Ubuntu doesn't mount it automatically (It usually does.), you should mount it.
Now you should find a directory called .Private
. If you did a default installation, this directory should sit in /media/DISK/home/.ecryptfs/USERNAME/.Private
. In this example DISK
is the directory where your stick is mounted and USERNAME
is the name of the user you entered at installation. If you can't find it yourself open a terminal and enter
sudo find /media -type d -name .Private
I assume in the following steps that the directory is in /media/DISK/home/.ecryptfs/USERNAME/.Private
.
You need the mount password. This is different from your login pasword. Enter the following command into a terminal:
ecryptfs-unwrap-passphrase /media/DISK/home/.ecryptfs/USERNAME/.ecryptfs/wrapped-passphrase
You have to enter the login password from the installation of your USB-Ubuntu (not your usual password). The command outputs a passphrase. Write this down or copy it into a file.
The password enables you to unlock the directory. You need to do it in two steps:
> sudo ecryptfs-add-passphrase --fnek
Inserted auth tok with sig [123456789abcdef0] into the user session keyring
> sudo mount -t ecryptfs /media/DISK/home/.ecryptfs/USERNAME/.Private /media/myUSB
The first command adds your passphrase to the kernel keyring and the second tries to mount your .Private
to the directory /media/myUSB
. If the latte doesn't exist, you have to create it first:
sudo mkdir /media/myUSB
The mount
command will ask again for the login password. Next it will ask for a bunch of stuff.
- Accept the default cipher and key size values (
aes
and16
). - Type
n
for plaintext passthrough. - Type
y
for filename encryption. - The last thing is the FileName Encryption Key (FNEK). Look at the output of the
ecryptfs-add-passphrase --fnek
command you just typed. There are two lines starting withInserted auth tok …
. Insert the value in square brackets of the second output (123456789abcdef0
).
Now you can access the files in /media/myUSB
and can copy from and to the directory or subdirectories.
A large part of my description is from "Live CD method of opening a encrypted home directory".
I had similar problem and ended here. I was migrating my system to another hard drive and have the same user with encrypted home on both old and new system.
I tried
ecryptfs-recover-private /media/old_disk/home/my_name/.Private
but that directory was in fact symbolic link to
/home/.ecryptfs/my_name/.Private/
The target directory existed, but pointed to .Private on my new disk.
Correct command should be:
ecryptfs-recover-private /media/old_disk/home/.ecryptfs/my_name/.Private
maybe ecryptfs-recover-private should display warning if it detects this pattern. It looks like common mistake.