Home / ubuntu / Questions / 124174
Accepted
seb
Asked: 2012-04-23 02:20:50 +0800 CST

How do I move my encrypted /home to a new computer?

  • 772

Hi I have a new notebook and I want to move my home data to the new computer.

I think there are multiple ways of doing this

  • copy all to a external hdd and move back on new computer
  • do an Deja-Dup backup and then restore on the new computer
  • rsyc/move to new computer via sshfs
  • ...?

My question is how do I keep the current ecrypt encryption of /home in place and get it working properly on the new computer. How do I have to install the new computer so I can use the encrypted home files from the old?

If I would use Deja-Dup do I need to worry about the ecrypt stuff on the old machine or does the new installation simply enctypt everything new?

encryption home-directory ecryptfs deja-dup transfer

2 Answers

  1. Best Answer

    Great question! I actually do this quite frequently (every few months). To do so, I use rsync to copy all of my /home partition/directory from the OLD machine to the NEW one.

    First, ensure that you have openssh-server and ecryptfs-utils installed and running on the NEW machine.

    sudo apt-get install openssh-server ecryptfs-utils

    You could install your public SSH key in the root user's /root/.ssh/authorized_keys file. But I usually set a root password on the NEW machine.

    sudo passwd

    Also, on the NEW machine, create a new user, who's name and password precisely matches the name and password on the old machine.

    sudo adduser YOURUSER

    Make absolutley sure that YOURUSER is NOT currently logged into either the NEW machine or the OLD machine.

    Now, from the OLD machine, as root, rsync your /home directory from the OLD to the NEW machine:

    sudo rsync -aP /home/ NEW:/home/

    Finally, make absolutely sure that the files on the NEW machine are owned by YOURUSER:

    sudo chown -R /home/.ecryptfs/YOURUSER /home/YOURUSER

    And that should do it! You should be able to login as normal to your NEW machine and read and write your data!

    Full disclosure: I'm the author and maintainer of Ubuntu's Encrypted Home Directory feature.

    • 11

  2. I had to do a similar task recently and I found Dustin's answer very useful.

    My scenario was that I was moving my install from one disk to another. My install has one of its users (lets call her "paranoid") with an encrypted home directory and I wanted to migrate this user so they could login on my new install.

    I go into detail about how I went through this process at the end in an appendix.

    But the bottom line is I got my system to a point where I had an old instal and a new instal both sharing the same /home partition. There is /home/admin which is the home directory of the admin user on my new instal. And there is /home/paranoid which is the home directory of the paranoid user on my old install.

    /home/paranoid is encrypted. It has the following:

    /home/paranoid#ls

    Access-Your-Private-Data.desktop -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop .ecryptfs -> /home/.ecryptfs/paranoid/.ecryptfs

    .kde

    .local

    .Private -> /home/.ecryptfs/paranoid/.Private

    README.txt -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt

    All the magic of an encrypted home actually happens in a folder named for the user in /home/.ecryptfs/

    In my example:

    /home/.ecryptfs/paranoid# ls -la

    .ecryptfs

    .Private

    All the users actual files are stored encrypted in

    /home/.ecryptfs/paranoid/.Private

    And config data is in

    /home/.ecryptfs/paranoid/.ecryptfs

    It would appear that all you need to do to migrate the user is to engineer a situation where:

    1. The new install has an identically named user with an identical password to the user on the old install.
    2. the /home folder on the new install has a copy of /home/.ecryptfs/paranoid/ and of /home/paranoid/
    3. The files in both these directories are owned by the user paranoid
    4. ecryptfs-utils is installed

    We need 1) to be the case because the files are encrypted in away that is unlocked by the users password. So the password on the new instal needs to be the same so it can decrypt the files.

    We set up 2) so that the directory structure for the user is the same on the new install as it was on the old

    We need 3) to be the case so the user has read and write privileges on the files in their home.

    We need 4) so that the system can do the decryption of the file system files.

    How to achieve this:

    1. while logged on new instal as "admin" and with home mounted from the existing installs home partition rename the /home/paraniod folder to paranoid_old

      sudo mv /home/paranoid folder paranoid_old

    2. rename the /home/.ecryptfs/paranoid to /home/.ecryptfs/paraonoid_old

      sudo mv /home/.ecryptfs/paranoid   /home/.ecryptfs/paraonoid_old

      The above two steps backup the paranoid data so it is not clobered by the step 3

    3. create a new user while logged in on new machine called paranoid with exactly the same password as paranoid has on the old install

      sudo adduser paranoid

    This will now create a new /home/paranoid directory on /home
    4. rename this /home/paranoid directory to /home/paranoid_new

        sudo mv /home/paranoid /home/paranoid_new

    Now bring the backups back:

    1. rename the /home/paranoid_old folder to paranoid

      sudo mv /home/paranoid_old /home/paranoid

    2. rename the /home/.ecryptfs/paranoid_old to /home/.ecryptfs/paranoid

      sudo mv /home/.ecryptfs/paranoid_old    /home/.ecryptfs/paranoid

    3. now make sure our new paranoid user owns the files

      sudo chown paraniod:users -R /home/.ecryptfs/paranoid /home/paranoid

    Step 7) can be necessary because - even though the files in /home/.ecryptfs/paranoid will already be owned by a user called "paranoid" - this is the paranoid user on the existing instal. This user might have a different user number in the /etc/passwd file on the new instal compared to the old instal. And it is the user number that owns the files - not the user name. So until you chown the files while running the new install the files might be owned by the wrong "paranoid". If the paranoid user is a different user number in the old and new installs then after we chown the files the paranoid user will not be able to log on to the old install as they will not have permissions on the files. You can repair this situation by editing the /etc/passwd file on the old instal to give paranoid the same user number as she has on the new instal. Just be sure to not to use a number of an existing user.

    8) install ecryptfs-utils sudo apt-get install ecryptfs-utils

    At this point you should be able to reboot the new instal and log into paranoid's account and see their migrated home files in all their decrypted glory. /home/paranoid_new can be deleted.

    Appendix 1 How I set up the systems: I installed an upgraded Kubuntu version on a new disk while keeping my existing install on another disk. My existing install has the /home on its own partition (/dev/mapper/kubuntu--vg-home_lv) separate from the root. I installed my upgraded kubuntu on my new drive while the other drives were disconnected and created an admin user account ("admin") with a different name to any of the accounts on my existing install. While booted from a live instance of kubuntu I mounted both my old and new disks and copied the [newdirveMountPoint]/home/admin to [oldinstalldriveMountPoint]/home/admin Then I edited the [newdirveMountPoint]/etc/fstab adding a line to make it mount my exiting drive as home 

    /dev/mapper/kubuntu--vg-home_lv /home     ext4    errors=remount-ro 0       1

    Now when I boot my new install as "admin" the /home is reading from the same partition as my old install. So there is now /home/admin which is the home directory of the admin user on my new instal. And there is /home/paranoid which is the home directory of the paranoid user on my old install. My old and new installs are now sharing homes.

    • 0