My home directory is encrypted using Ecrypfts (AFAIK). I'm using dropbox service running in the background that syncs local files with the cloud. Starting November '18 dropbox will only support ext4 partitions with LUKS encryption.
I'd like to switch from Ecrypfts to LUKS. Here's the output of blkid.
/dev/nvme0n1p6: UUID="b49f5039-2524-4e7a-ba28-96f935367c7e" TYPE="ext4" PARTUUID="9124511d-c89a-4944-b346-c1f30a98801d"
/dev/nvme0n1p7: UUID="e26b7783-5a36-4855-8a30-56bb21e4d310" TYPE="swap" PARTUUID="25ab9b40-5886-4a0a-b631-fced0caa0869"
/dev/mapper/cryptswap1: UUID="f442df5d-5420-48f5-966a-d3d264ab9bfa" TYPE="swap"
I haven't found any articles how to do that. Is there a safe way to switch between those two encryption types?
EDIT:
/etc/crypttab
cryptswap1 UUID=e26b7783-5a36-4855-8a30-56bb21e4d310 /dev/urandom swap,offset=1024,cipher=aes-xts-plain64
ls -l /dev/mapper
crw------- 1 root root 10, 236 Aug 26 11:18 control
lrwxrwxrwx 1 root root 7 Aug 26 11:18 cryptswap1 -> ../dm-0
Find if you have eCryptfs
Open a terminal by pressing Ctrl+Alt+T and enter:
If you see an output like:
Then you have your home folder encrypted by eCryptfs.
Background
LUKS encryption and eCryptfs work differently.
First, eCryptfs encrypts the
/home/$USER
folder, the LUKS works at the partition level.Second, the encrypted
/home/$USER
folder is unlocked when the $USER logs in. The LUKS partition encryption would ask for a passphrase every time you boot the computer. Once the/home
partition is unlocked you will be able to login to your account with your login password as usual. That is, you will need to use two passwords. If your computer has other users, their "Home" folders will be encrypted as well. Thus all users of the computer must know the LUKS passphrase if they need to turn on the computer and use it in your absence. There is a way to save the passphrase in a file and let LUKS automatically unlock the partition at boot time, but that is not safe.Third, your computer has only one partition
/
(plus the swap), as is the case with most Ubuntu installation. There is no easy way to LUKS encrypt this single partition installation of Ubuntu. If you want to keep the single partition setup, you may want to backup your data and reinstall Ubuntu. While installing, select the full disk encryption option.Finally, BACKUP! BACKUP!! BACKUP!!! The steps described below are very very risky. It is likely that you will lose all the data, or your Ubuntu installation will become unbootable.
Step 1: Create a new partition for
/home
Step 1.1: Boot from live CD/USB
Use the try Ubuntu without installing option.
Step 1.2: Identify the disks
Open Gparted. I prefer Gparted because it is visual and let me "see" the drives and partitions. Click on the top right drop down and see the list of drives. Go through the list and identify the drives you want to work with, by their size and partition structure. You want to identify the
/
partition in your internal hard drive you want to shrink.Step 1.3: Shrink
Make sure you have selected the internal disk.
Select the
/
partition you want to shrink.Drag the right edge of the partition leftward to resize/move to make room for the new
/home
partition. Create as much room as you want your new/home
partition to be.Press the "Apply" button in Gparted and wait.
If all goes well go to the next step. If you get an error, stop!
Step 1.4 Create New partition
Right click on the unallocated space you created and select new. You will see the "Create New Partition" window. Make sure the file system says "ext4" and you can keep the rest as is.
Press the "Apply" button in Gparted and wait.
If all goes well go to the next step. If you get an error, stop!
Step 1.5 Reboot computer to internal hard disk
Step 2: Encrypt the new partition
Step 2.1 Find the identifying information about the new partition
Open a terminal by pressing Ctrl+Alt+T and enter:
You will be prompted for your password. When you type the password nothing will show on the terminal. This is normal.
Copy and paste the output in a text file. Note the UUID as well as the partition name like
/dev/nvme0pX
, where X is a number for the new partition.Step 2.2 LUKS encrypt!
You will be prompted to enter a passphrase. This is passphrase will be needed every time you boot the computer to unlock the
/home
partition. Do not leave it blank.The next two commands open the encrypted partition and format it to make it ready for data storage.
Step 3 Temporarily mount and copy contents of
/home
Create a new folder to make it the temporary mount point of the encrypted partition
Mount the encrypted partition to newhome
Make sure your "Home" folder is accessible. If you have multiple users with encrypted home folders for each of them, make sure the "Home" folders are accessible.
Copy original home to newhome
Make sure all your files are copied to the newhome and you can see them.
Remove the bits of old encryption system copied in the newhome
where
username
is your username. If you have multiple users in this computer with encrypted "Home" folders, you will have to do this for all users.Step 4: Setup your newhome as home
Edit the file
/etc/crypttab
Add the line below making sure the UUID corresponds to /dev/nvme0pX:
Press Ctrl+X followd by Y and Enter to save and exit nano.
Edit
/etc/fstab
with nanoand add the following line:
Press Ctrl+X followd by Y and Enter to save and exit nano.
Do not reboot your computer yet!
Step 5: Remove the old encrypted home and old encryption program
Note the old /home folder should remain and be empty as this will be used as the mountpoint of the encrypted partition.
Step 6: Reboot
You will be prompted for your home partition passphrase before you can login.
Hope this helps