Mounting an Encrypted /home Directory on Another Ubuntu Machine

In this article, we will delve into the process of mounting an encrypted /home directory on another Ubuntu machine. This can be a useful skill to have, especially if you need to recover files from a system that can no longer boot.

Prerequisites

Before we start, make sure you have the following:

• A running Ubuntu machine
• The hard drive or USB stick containing the encrypted /home directory
• The login password from the original Ubuntu installation

Understanding the Encrypted /home Directory

Ubuntu uses a package called ecryptfs-utils to encrypt the /home directory. This package uses a wrapped passphrase system. Essentially, your login password is used to decrypt a much longer, more secure passphrase that is then used to encrypt and decrypt your files.

Locating the .Private Directory

The first step is to locate the .Private directory, which contains the encrypted files. You can do this by inserting the USB stick or hard drive into your Ubuntu machine and running the following command in the terminal:

sudo find /media -type d -name .Private

This command searches for directories (-type d) named .Private in the /media directory, which is where external drives are typically mounted. The sudo command is used to run the command with root privileges, which may be necessary to access certain files.

Unwrapping the Passphrase

The next step is to unwrap the passphrase, which is the long, secure password used to encrypt your files. You can do this with the following command:

ecryptfs-unwrap-passphrase /media/DISK/home/.ecryptfs/USERNAME/.ecryptfs/wrapped-passphrase

Replace DISK with the name of your USB stick or hard drive, and USERNAME with your username. This command will output a passphrase, which you should write down or copy into a file.

Mounting the Encrypted Directory

Now that we have the passphrase, we can mount the encrypted directory. First, we need to add the passphrase to the kernel keyring with the following command:

sudo ecryptfs-add-passphrase --fnek

This command adds the passphrase to the kernel keyring and outputs a FileName Encryption Key (FNEK). Write down or copy the FNEK into a file.

Next, we can mount the encrypted directory with the following command:

sudo mount -t ecryptfs /media/DISK/home/.ecryptfs/USERNAME/.Private /media/myUSB

Replace DISK with the name of your USB stick or hard drive, USERNAME with your username, and /media/myUSB with the desired mount point. This command mounts the encrypted directory at the specified mount point.

During the mount command, you will be prompted to accept the default cipher and key size values and to provide the FNEK. Once the directory is mounted, you can access the files in /media/myUSB and copy files to or from it.

Troubleshooting

If you encounter a mount(2) error, you may need to run sudo ecryptfs-manager first and immediately exit before repeating the mount command.

Conclusion

Mounting an encrypted /home directory on another Ubuntu machine can seem daunting, but with the right commands and a little patience, it’s a straightforward process. Remember to keep your passphrase and FNEK safe, as losing them could result in permanent data loss.