Ubuntu: How to decrypt home directory, swap (basically everything) without reinstalling?

Question

I just faced a problem with encrypted home directory in Ubuntu Server 10.04.

While I know a workaround, I want to just to completely remove encryption from everything.

Any hints how to do that without complete backup & reinstall?

You're certain the entire system is encrypted, or is it just the home directory? — Bart Silverstrim, Jul 14 '10 at 13:32
Just a home directory, that's how Ubuntu installed do that.As if was mentioned below, it's eCryptfs — BarsMonster, Jul 15 '10 at 12:40

score 5 · Accepted Answer · answered Jul 14 '10 at 15:12

This guide is pretty major surgery, only follow it if you are confident at the command line - a few mistakes could lead to losing all your data.

You will have to copy all the files from your home directory somewhere else, and then copy them back once you have turned off the encryption, but you don't have to reinstall. So let's say you have an external drive at /media/disk-1. You can back up with

$ cp -a /home/user /media/disk-1/

The -a does recursive and a bit more. Make sure you back up all users, as we will delete the encrypted copies later.

Then you need to unmount the ecryptfs mount, delete all the encrypted files, stop the automounting and copy all your files back. This is going to cause havoc if you are logged in with a GUI, so I would either log out, and log in on one of the consoles (press Ctrl-Alt-F1 to access one) or I would boot off a live CD/USB stick to do this. Either way be very sure your back ups are safe.

If you are using a live CD you will need to mount your disk, and the paths in the following commands will change accordingly.

So, unmount the ecryptfs mount. (If you are working off a live CD you don't need to do this step).

$ ecryptfs-umount-private

Next make room on the disk by deleting all the old encrypted files. Be sure your back ups are safe before you do this. And if you have over half your disk spare, you can leave this step until once you are sure the new version is working. But if you have only a bit of your disk spare then you will need to do this before copying the files back.

$ sudo rm -rf /home/.ecryptfs

Next we need to stop the auto-mounting. So edit the files

/etc/pam.d/common-auth 
/etc/pam.d/common-password 
/etc/pam.d/common-session 
/etc/pam.d/common-session-noninteractive

and comment out the line that mentions pam_ecryptfs by putting a # at the start of the line. So for example, common-session would now contain

#session    optional    pam_ecryptfs.so unwrap

Now you can copy all your files back

$ cp -a /media/disk-1/user /home

Then do a reboot and you should be without the encrypted folders, and able to enable auto-login. If you didn't delete /home/.ecryptfs earlier, you should do so once you're confident everything is working as expected.

That is somewhat I need. I have the only user in the system. Will the console behave correctly when I would remove conteny of my own home directory? — BarsMonster, Jul 15 '10 at 12:43
Yes - although history and such things will be lost while you are doing it, and if you have to re-login half way through then you won't have access to customisations in eg .bashrc, you will just have the system defaults. But when you copy all the files back into /home then it will all be restored. — Hamish Downer, Jul 15 '10 at 13:51
Yey! it worked flawlessly, though I chickened out and just moved stuff around, not deleted them - I'll give it a whirl and delete in a few days. For reference - I moved media and other "big folders" to /home/user.backup, then I opened nautilus as root (sudo nautilus) and copy/paste everything remaining (remember to click "Ctrl-H" before to see hidden files), then I did "sudo chown user:user /home/user.backup -R" - then followed the rest of the guide here, but just moved /home/user to /home/user_enc and /home/user.backup to /home/user. Oh - big note - it's "umount", not "unmount". No "n". — Ran Biron, Oct 18 '11 at 23:47

score 0 · Answer 2 · answered Jul 14 '10 at 11:17

0

the problem your facing is that the filesystem is encrypted. When you decrypt the area of disk, you're not doing one file at a time. - So its not going to be possible to just "turn off" encryption without backing up files and restoring.

answered Jul 14 '10 at 11:17

Sirex

5,447
2
32
54

1

The encrypted home directory in Ubuntu uses ecryptfs which does encrypt each file individually. – Hamish Downer Jul 14 '10 at 14:31
ah thanks, i was under the impression that ubuntu used luks. – Sirex Jul 15 '10 at 07:21

score 0 · Answer 3 · answered Jul 14 '10 at 15:38

While reading about I came up with another strategy that might work for you, depending on what your issue is. If the issue is that you (as root) need to access users files while they are not logged in, then you could stop the encrypted files being unmounted on logout.

ecryptfs uses files in /home/.ecryptfs/user/.ecryptfs/ to control the operations. You will see if contains files auto-mount and auto-umount. They are both of zero size. I'm pretty sure that if you

$ sudo rm /home/.ecryptfs/*/.ecryptfs/auto-umount

Then the users' directories will not be unmounted on logout and will remain accessible. However the on disk format will still be encrypted, so you don't have to worry about old disks falling into the wrong hands (provided you securely delete /home/.ecryptfs/*/.ecryptfs/*) (and /tmp and /var/ and swap ...)

Ubuntu: How to decrypt home directory, swap (basically everything) without reinstalling?

3 Answers3