Sharing an encrypted home directory between Ubuntu installs

encryption automount

Solution 1:

Its not really a problem of whether you can do it, it is a problem of how far you are willing to compromise your encryption.

From any system you can mount any encrypted partition, as you have found. But to do this you must have credentials (the password or key to decrypt it). If you want a system to be able to automatically mount something that is encrypted then you must give it the keys to that encryption, and in this case the most straightforward solutions (and probably the only solutions, were you to opt for automount) would be to store your password in plain-text and have it accessed as a part of boot. The reason for this is that when you login your system must be able to read some home/ for you somewhere before you can manually provide credentials unless they are stored somewhere vulnerable outside the encrypted partition.

In any case, this point is moot. Sharing /home between two major versions is a bad idea -- your dotfiles are not going to be interpreted the same way between two major releases and some setting is either going to get corrupted or just not work at all the way you expect (or not work at all).

I suggest that instead of sharing /home itself, you might want to have a third partition that contains things like documents/, videos/, pictures/, bin/, and whatever other application data you actually use yourself, and leave the dotfiles, settings, browser history, etc. separated. An easyish way to accomplish this is to just replace the default user data directories with symlinks that point to your mount location. So, for example:

sda1  -> mounted at / for 11.04
sda2  -> mounted at / 12.04
sda3  -> encrypted, mounted at /home/you/mnt/ under both

sda3 will contain your user data, so when you mount it you will get

/home/you/mnt/documents
/home/you/mnt/pictures
/home/you/mnt/videos
/home/you/mnt/music
/home/you/mnt/bin
# ...etc

Your original directories will be replaced by symlinks of the form:

/home/you/documents -> /home/you/mnt/documents
/home/you/pictures  -> /home/you/mnt/pictures
# ...etc.

Mounting sda3 will always require providing extra credentials the first time you access anything within it, but this only has to occur the first time when it is mounted. Placing the mount location in /etc/auto.master explicitly under each system should cause a LUKS password prompt the first time you access data -- but the right way to do this might require some research (I've only done this on RHEL and Gentoo, and have no idea what the differences may be in Ubuntu).

In any case, the effect you are trying to achieve is certainly a reasonable goal, but shortcutting by directly sharing an encrypted home directory between major versions is far less secure and ultimately a lot more trouble than its worth.

Related

I want to use Ubuntu as a firewall and wireless AP, with some external traffic passing through openVPN, and the rest just through a firewall
How to auto-mount a copied encrypted home
How to update gtk-3.4 themes to the new gtk-3.6
Ubuntu for Internet radio
How to tweak the appearance of desktop icons in Lubuntu?
How can light sensor be enabled for control brightness and keyboard back-light automatically?
Why is the traditional countdown absent in the Ubuntu homepage now?
My Wireless Network is not listed [hidden network]
Making gnome-screensaver auto-lock in XFCE
Ubuntu 12.10 no network and no graphics
Déjà Dup over SSH - where to enter my login credentials?
How do I configure gnome-screensaver?