I recently assembled a new workstation for home and in the process did a clean install of Ubuntu 9.10 on the system. Though I have been working with Ubuntu’s very handy ecryptfs setup for encrypted home directories, I had limited such to laptops and had never done so on a desktop system before. I figured I would give it a try and see what happened.
Performance tests done by others had always shown that there was a slight degradation of speed on ecryptfs encrypted filesystems, which I had fully expected, but I ran into something I hadn’t dealt with on my laptop: directory trees with hundreds of thousands of files.
The difference in speed of accessing individual files a few at a time in ecryptfs was never really noticeable, but I had never tried to stat a tree of 600,000+ files before. It was as if my brand new system was an artifact from the ’70′s. It dropped to its knees and cried.
Not believing how slow it was, I tested the issue by copying the directory tree to an unencrypted filesystem on the same physical hard drive and the same task (running ‘tree’ on the directory structure) took only a few seconds, instead of minutes. It was apparent that any task which had to do a lot of file stat processing, simply dragged to a crawl under ecyptfs.
I was left with the dilemma of how to deal with changing my entire home directory under the ecryptfs system – complete with Ubuntu’s handy automatic mounting – to a standard, unencrypted form. A bit of searching on the Web lead to dozens of approaches, some as drastic as copying the files to an unencrypted filesystem and removing the ecryptfs software. That seemed ludicrous to me. There should be no reason to disable an entire feature globally, to deal with one directory.
I finally came across some handy information on a blog, which gave me a clue as to how the automatic mounting worked in Ubuntu 9.04. Although not exactly the same as the Ubuntu 9.10 implementation, it was more than enough to give me a very simple way to not only remove the encryption from my home directory, but to allow the system to work for me in creating an encrypted directory to use within my home directory, which took advantage of the slick auto-mount setup the Ubuntu developers had designed.
So, should anyone stumble on this issue, I’ll detail the steps taken here on how to alter Ubuntu 9.10 to switch a full home directory encryption to a normal home directory with an auto-mounting encrypted sub-directory. The process is amazingly simple. All text in red are actual commands to type. Green text is a file or directory path. “username” is a token for the name of your account.
- Logoff the system. No occurrences of your user account should be active.
- Login as root or a different sudo enabled account.
- Make sure that your account’s home directory is not mounted, using the ‘df‘ command. If it is still in place, use umount /home/username to un-mount the encrypted filesystem.
- Change the line “/home/username” to “/home/username/Private” in the /home/.ecryptfs/username/.ecryptfs/Private.mnt file using your favorite text editor.
- mkdir /home/username/Private
- chown username.username Private
- Reboot the computer. (You can try restarting the cryptdisks init scripts, but I didn’t have any luck with it.)
When you login now, your previous home directory will be mounted at /home/username/Private instead of at /home/username. Login the first time using a console rather than X11 (Ctrl-Alt-[F1-F6] from the login screen should be available) and move what files you want from ~/Private to your home directory and use the ~/Private encrypted directory for your sensitive documents. Moving your dotfiles and hidden sub-directories back into /home/username is a good idea, unless you feel like re-configuring Gnome or KDE.
From this point on, Ubuntu will continue to automatically mount and dismount your ~/Private directory, just as it did for your entire home directory before.
Addendum: The procedure used above is identical in Ubuntu 10.04 LTS.
Tags: 10.04, 9.10, Computers, ecryptfs, encrypted home directory, encryption, Karmic, linux, lucid, Ubuntu
Just wanted to say thank you tons for this, I did not realize encrypting my drive would take up twice as much space, wasn’t looking forward to having my TB drive filled with only 500GB of actual data
Thanks very much – most helpful
Hrmm that was weird, my comment got eaten. Anyway I wanted to say that it’s nice to know that someone else also mentioned this as I had trouble finding the same info elsewhere. This was the first place that told me the answer.
Your comment was marked as spam due to the URL.
Thanks alot for this info, will most likly do this on my server tonight, only problem is there arnt and root accounts, and no other users have sudo, does this mean i need to give root a password?
You will either have to give the root account a password via your account with sudo, or create a new user for yourself with sudo access. Check your /etc/sudoers file. Ubuntu typically defaults so that any user in the “admin” group will have full sudo access, so you would only need to add an existing user or a new user account to this group. Running the command “adduser [username] admin” will add an existing account to the group. If you need to create a new account, I would recommend not adding the user to the admin group with the “–group” flag, as this will make “admin” the user’s default group. Instead, create the new user, then run adduser again to assign the account to the admin group.
Probably the easiest route is to just assign a password to the root account. Not doing so is, in my opinion, a “security through obscurity” hack. There are arguments for and against this practice, but I’ve never seen a downside to root having a password on a properly secured system. On the upside, in a severe crisis recovery mode, you’ll be glad that root has a password, as this can often be your only access to the system.
OPtion 2 worked for me but now my root as a password, is there a way to remove that? I tried the first thing but eneded up some how remving all the admins, i fixed tht with live CD.
Not to be offensive, but it sounds like you need to read up on general Linux systems administration. The mistakes you made here are pretty blatant and you would do better with a little more education on the subject. I’d start reading here: http://tldp.org/LDP/sag/html/index.html
As to your problem, if you want to remove the password from the root account, you will need to login as a user with sudo access and edit the /etc/shadow file. The first line should be for the root account. Fields on the line are separated by the “:” character. The second field will appear as a jumble of characters. Edit the second field to be a “!” character. Save the file and you’re done.
I will comment again on this practice: why is it that you want to cripple root? Ubuntu’s decision to leave the root password disabled doesn’t buy much but a little obscurity on the security side (since this is common practice for Ubuntu and Ubuntu is so popular, I’d say that obscurity is pretty much gone now) and to prevent novice users from logging in as root directly on a regular basis, which is a die-hard habit of old Windows users (who’s account normal run at “administrator” level.) It really doesn’t buy you anything in security, as if your account is hacked by a bad password, the attacker still has as much root access through sudo as they would breaking the root account’s password directly and it doesn’t save you from yourself, when sudo is allowed to perform every action that root can by default.
In short, I find it to be rather silly, pseudo-psychology in action. There is no real justifiable reason to have the root account disabled and thousands of reasons to have it enabled with a secure password.
In short, I think you’re making a mistake.
I Left the password on the root account. The reason I asked was because I never really looked into all the files in the directories and only dealt with linux for about 3 years off and on and only til last year was I using it as my server. So mostly I didn’t know if it how to remove that password If I wanted to.
After reviewing what I meant to say I tried to create a new user and make the user admin and some how i removed all my admin ability on the server but luckily I was able to recover via live cd and i re edited the groups file.I tried to add the user in there by adding a : then the other username but im guessing I did it wrong or left a typo.I was in a hurry so I just restored the file to normal.
Again, you should review the various Linux systems administration guides. You’ll find a lot of your answers there.
When you add a new user to a group manually, (rather than running adduser to do it) you separate the user names with a comma “,” character, not a colon.
Thanks alot for that, I went and checked out a book that will take forever to ead with my schedule Lol the linux bible 09 edition, so maybe I will learn some more, and i will remember that , next time when I try editing lol. have no idea why I thought that ; would work.
With good news I did get the encryption dropped with your tutorial.
As an alternative to trying to setup a root password, you can also use grub to select recovery mode. From there it will boot to a menu where you can select ‘rootprompt’.
https://wiki.ubuntu.com/RecoveryMode
Here are the specific steps I performed, which are basically those found on this blog. On step 7 I used sed since it would be easier for someone to copy paste.
1. Reboot the computer
2. From the grub menu, select the recovery mode entry
3. On the recovery menu, select ‘rootprompt – Drop to root shell prompt’
4. mkdir /home/username/Private
5. chown username:username /home/username/Private
6. cd /home/.ecryptfs/username/.ecryptfs
7. sed -i ‘s!/home/username!/home/username/Private!’ Private.mnt
8. su – username
9. encryptfs-mount-private
10. cd ~/Private
11. rsync -av ./ /home/username/
12. exit
13. reboot
14. Allow the system to boot as normal and login
15. Verify that the contents of the home folder appear as you expect
16. All data in ~/Private can be deleted per your preference.
This is a great alternative for those who don’t have a root enabled account. Thanks for taking the time to post this.
Thanks, encrypting my home dir slowed down my laptop. A separate Private folder is a good idea.
Thanks for the options.
Reading through your examples sparked the idea for me to: solve my encrypted /home by using rsync over ssh to my secondary box, wipe my server drive && re-install Debian instead of Ubuntu && rsync back. Think it’ll end up cleaner for me since I’m ready to start semi-fresh on an install.
Keep posting the tutorials
& I support the RTFM comments.
I’m certainly not distro-centric. Debian is a fine choice!