Moving from Ubuntu, worried about being able to access my (encrypted) data

linux ubuntu encryption decryption

I've decided to go back to Fedora after being on Ubuntu for a while. Thankfully I have just done the upgrade to 11.04 so the warning it gave me about it encrypting some things was fresh in my mind, but now has me worried that I won't be able to access my data when I install Fedora.

I've tried a live CD of Fedora 15 and sure enough, I cannot access my home directory of the Ubuntu installation. I made a note of the encryption key that was generated for me, but I just jotted it down very quickly so I'm wondering,

  1. Is there any way to view my encryption key again to check I wrote it down correctly?

  2. If I have the encryption key, will I be able to decrypt from Fedora, or is it tied to my Ubuntu installation?

  3. Is there a way to decrypt my home folder before installing Fedora, so this isn't an issue?

  4. Will Ubuntu's encryption process have encrypted anything else apart from my home folder? (Anything I'm likely to forget to backup?!)

  5. (Has anyone had any experience of this process before? How did it go?)


I will of course take a backup of my home folder anyway, which you may think makes this question a little pointless, but I'd like to know for future reference and to ensure that I don't get caught out with any nasty surprises.

Thanks for your help.


Assuming that the encryption you are referring to is Ubuntu's "automatically encrypt home folder" option specified at installation, not full-partition encryption such as LUKS:

  1. If you run the command 'ecryptfs-unwrap-passphrase' in a terminal and enter your password when prompted, it will show the unwrapped encryption key. This should be the same one that is displayed automatically at first login for you to make a note of.

  2. In theory (and from a security point of view) the key is all you need to perform the decryption, however as far as I know the scripts and mount helpers that are used to automatically decrypt the home directory are only used in Ubuntu. The upshot of this is that you might need to install Fedora with a different user/home directory, then use a manual ecryptfs mount command to gain access to the encrypted Ubuntu directory (rather than re-using the same home directory and expecting it to just work).

  3. There probably isn't an easy way to decrypt the home directory "in place", but if you have enough hard disk space you could back up the decrypted contents (i.e. while you are logged in) into an tar archive in /var/tmp (for example), and then extract this archive into the new Fedora home directory once it is up and running.

  4. I don't believe so, the encryption is applied only to the home directory which is mounted using EcryptFS at login.

  5. I haven't done this myself (the home directory encryption is something of a "killer feature" for me which would be a major reason not to switch to another distro), but if I needed to do this I would probably go for the "backup with tar" approach as mentioned in item 3, rather than attempt to use ecryptfs mount commands manually from the new distribution.


Ubuntu will only encrypt your home directory, nothing else. The home directory remains encrypted until you access to your account, then it's mapped transparently on you home directory (and encrypted/decrypted on the fly). The easiest way is to login and copy the home dir contents to other dir, this will decrypt the contents automatically.

How it all works

Encfs creates an encrypted file/folder inside /home/.encfs/testuser for every file/folder you create inside /home/testuser. When the encrypted folder is "mounted" the files are decrypted on the fly and accessible at the mountpoint (/home/testuser).

With pam_encfs configured as it is, everytime a user tries to log in, it will attempt to execute "encfs /home/.enc/$USERNAME /home/$USERNAME" using your account password. For users you haven't setup encryption for, this will simply fail and everything is the same as normal. For users you setup, the empty /home/$USERNAME folder will suddenly provide access to their decrypted files and folders! Yay!

The pam.d/common-auth setting means pam_encfs.so will try to run before login completes. The use_first_pass lines mean this modules will attempt to use the first password entered without prompting for a new password even if pam_encfs.so fails. This is necessary so users without encrypted folders aren't prompted twice for their passwords.

Source: https://wiki.ubuntu.com/EncryptedHomeFolder


I have not experienced your exact situation, but I want to offer some general information that I think will help ease your mind.

Although there are many distributions of Linux, for the most part, they all use exactly the same underlying technology. It certainly is possible that one distribution might ship with some special support that no other distribution has, but this is rare, and typically only occurs for very special-case linux distributions, which cost a lot of money. This is because, generally, only third-party, commercial software that costs lots of money is ever bundled "extra" with Linux. Everything else is free, so every distribution offers the same core features.

This is why questions like "Does my XYZ modem work in Fedora?" or "Will my ABC video card work in Ubuntu?" or "Can I use my FOO wireless network card in CentOS?" aren't generally useful questions, aside from "Will they work in Linux?"

Hardware drivers are, by and large, identical across Linux distributions, because they are all part of the kernel, and all linux distributions use the same kernels.

(Now before someone flips out on me, I realize that different distributions ship with different kernel versions, and sometimes hardware support differs between them. I also know that some distributions choose to ship with beta, unstable, or userspace drivers that don't always fit neatly into my description. But for the most part, this happens very rarely--especially for hardware that anyone actually uses.)

Filesystems, including encrypted filesystems, fall into the same category. Every distribution ships with the same options. (This wasn't always true 10 years ago, when encrypted filesystem support was new, and unofficial, but that matters very little today.)

So what I'm trying to say is... if you encrypt your filesystem in any Linux distribution, you should be able to read it any other (current) distribution, without any problems.

EDIT:

Asking "Will XYZ work in Fedora/Ubuntu/CentOS" is a lot like asking "Will XYZ work in Windows 7 on my Dell/HP/Toshiba." The core OS is the same in all cases.


This might be helpful to others in future.

How to disable home folder encryption after installing ubuntu:

http://www.howtogeek.com/116179/how-to-disable-home-folder-encryption-after-installing-ubuntu/

Related

What is the purpose of the C:\ProgramData\Microsoft\Windows\Ringtones folder in Windows 7 and Windows Server 2008 R2?
FTP Authentication with Public Key?
Which is the best font for Console/Terminal/Command Prompt in Linux/Windows? [closed]
why is screen not showing the current running process name? (Mac OSX Terminal bash)
Preventing Windows 7 from automatically switching Aero off?
How to re-enable green Offline Files icon in Windows 7
Customize text editor and terminal to use non-monospaced fonts without the horrible results?
Reliable procedure/tool for removing print drivers in Windows 7 (domain environment)
SQL Server Management Studio ignores default DB
SSHD on Windows
External "power brick" style PSUs - are they reliable enough?
Where does the process occur when zipping a file on a network mapped drive