How do I move my encrypted /home to a new computer?

Question

Hi I have a new notebook and I want to move my home data to the new computer.

I think there are multiple ways of doing this

• copy all to a external hdd and move back on new computer
• do an Deja-Dup backup and then restore on the new computer
• rsyc/move to new computer via sshfs
• ...?

My question is how do I keep the current ecrypt encryption of /home in place and get it working properly on the new computer. How do I have to install the new computer so I can use the encrypted home files from the old?

If I would use Deja-Dup do I need to worry about the ecrypt stuff on the old machine or does the new installation simply enctypt everything new?

Answer 1

Great question! I actually do this quite frequently (every few months). To do so, I use rsync to copy all of my /home partition/directory from the OLD machine to the NEW one.

First, ensure that you have openssh-server and ecryptfs-utils installed and running on the NEW machine.

sudo apt-get install openssh-server ecryptfs-utils

You could install your public SSH key in the root user's /root/.ssh/authorized_keys file. But I usually set a root password on the NEW machine.

sudo passwd

Also, on the NEW machine, create a new user, who's name and password precisely matches the name and password on the old machine.

sudo adduser YOURUSER

Make absolutley sure that YOURUSER is NOT currently logged into either the NEW machine or the OLD machine.

Now, from the OLD machine, as root, rsync your /home directory from the OLD to the NEW machine:

sudo rsync -aP /home/ NEW:/home/

Finally, make absolutely sure that the files on the NEW machine are owned by YOURUSER:

sudo chown -R /home/.ecryptfs/YOURUSER /home/YOURUSER

And that should do it! You should be able to login as normal to your NEW machine and read and write your data!

Full disclosure: I'm the author and maintainer of Ubuntu's Encrypted Home Directory feature.

Answer 2

I had to do a similar task recently and I found Dustin's answer very useful.

My scenario was that I was moving my install from one disk to another. My install has one of its users (lets call her "paranoid") with an encrypted home directory and I wanted to migrate this user so they could login on my new install.

I go into detail about how I went through this process at the end in an appendix.

But the bottom line is I got my system to a point where I had an old instal and a new instal both sharing the same /home partition. There is /home/admin which is the home directory of the admin user on my new instal. And there is /home/paranoid which is the home directory of the paranoid user on my old install.

/home/paranoid is encrypted. It has the following:

/home/paranoid#ls

Access-Your-Private-Data.desktop -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop .ecryptfs -> /home/.ecryptfs/paranoid/.ecryptfs

.kde

.local

.Private -> /home/.ecryptfs/paranoid/.Private

README.txt -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt

All the magic of an encrypted home actually happens in a folder named for the user in /home/.ecryptfs/

In my example:

/home/.ecryptfs/paranoid# ls -la

.ecryptfs

.Private

All the users actual files are stored encrypted in

/home/.ecryptfs/paranoid/.Private

And config data is in

/home/.ecryptfs/paranoid/.ecryptfs

It would appear that all you need to do to migrate the user is to engineer a situation where:

1. The new install has an identically named user with an identical password to the user on the old install.
2. the /home folder on the new install has a copy of /home/.ecryptfs/paranoid/ and of /home/paranoid/
3. The files in both these directories are owned by the user paranoid
4. ecryptfs-utils is installed

We need 1) to be the case because the files are encrypted in away that is unlocked by the users password. So the password on the new instal needs to be the same so it can decrypt the files.

We set up 2) so that the directory structure for the user is the same on the new install as it was on the old

We need 3) to be the case so the user has read and write privileges on the files in their home.

We need 4) so that the system can do the decryption of the file system files.

How to achieve this:

1. while logged on new instal as "admin" and with home mounted from the existing installs home partition rename the /home/paraniod folder to paranoid_old

   sudo mv /home/paranoid folder paranoid_old
   

2. rename the /home/.ecryptfs/paranoid to /home/.ecryptfs/paraonoid_old

   sudo mv /home/.ecryptfs/paranoid   /home/.ecryptfs/paraonoid_old
   

   The above two steps backup the paranoid data so it is not clobered by the step 3

3. create a new user while logged in on new machine called paranoid with exactly the same password as paranoid has on the old install

   sudo adduser paranoid
   

This will now create a new /home/paranoid directory on /home
4. rename this /home/paranoid directory to /home/paranoid_new

    sudo mv /home/paranoid /home/paranoid_new

Now bring the backups back:

5. rename the /home/paranoid_old folder to paranoid

   sudo mv /home/paranoid_old /home/paranoid
   

6. rename the /home/.ecryptfs/paranoid_old to /home/.ecryptfs/paranoid

   sudo mv /home/.ecryptfs/paranoid_old    /home/.ecryptfs/paranoid
   

7. now make sure our new paranoid user owns the files

   sudo chown paraniod:users -R /home/.ecryptfs/paranoid /home/paranoid
   

Step 7) can be necessary because - even though the files in /home/.ecryptfs/paranoid will already be owned by a user called "paranoid" - this is the paranoid user on the existing instal. This user might have a different user number in the /etc/passwd file on the new instal compared to the old instal. And it is the user number that owns the files - not the user name. So until you chown the files while running the new install the files might be owned by the wrong "paranoid". If the paranoid user is a different user number in the old and new installs then after we chown the files the paranoid user will not be able to log on to the old install as they will not have permissions on the files. You can repair this situation by editing the /etc/passwd file on the old instal to give paranoid the same user number as she has on the new instal. Just be sure to not to use a number of an existing user.

8) install ecryptfs-utils sudo apt-get install ecryptfs-utils

At this point you should be able to reboot the new instal and log into paranoid's account and see their migrated home files in all their decrypted glory. /home/paranoid_new can be deleted.

Appendix 1 How I set up the systems: I installed an upgraded Kubuntu version on a new disk while keeping my existing install on another disk. My existing install has the /home on its own partition (/dev/mapper/kubuntu--vg-home_lv) separate from the root. I installed my upgraded kubuntu on my new drive while the other drives were disconnected and created an admin user account ("admin") with a different name to any of the accounts on my existing install. While booted from a live instance of kubuntu I mounted both my old and new disks and copied the [newdirveMountPoint]/home/admin to [oldinstalldriveMountPoint]/home/admin Then I edited the [newdirveMountPoint]/etc/fstab adding a line to make it mount my exiting drive as home

/dev/mapper/kubuntu--vg-home_lv /home     ext4    errors=remount-ro 0       1

Now when I boot my new install as "admin" the /home is reading from the same partition as my old install. So there is now /home/admin which is the home directory of the admin user on my new instal. And there is /home/paranoid which is the home directory of the paranoid user on my old install. My old and new installs are now sharing homes.