ecryptfs-migrate-home

ecryptfs-migrate-home [-u <username>] [-d] [-i] [-b] [-a] [-y] [-q] [-v] [-r] [-s] [-E] [-h]

-u <username>
    Specifies the user whose home directory is to be migrated. This is usually a required option.

-d
    Debug mode. Provides more verbose output for troubleshooting.

-i
    Interactive mode. Prompts the user for confirmation at various stages.

-b
    Background mode. Runs the migration in the background (less common for this command).

-a
    Advanced mode. May expose additional options or steps.

-y
    Assume yes. Automatically answers "yes" to all prompts, non-interactive.

-q
    Quiet mode. Suppresses most output except for errors.

-v
    Verbose mode. Provides more information about the progress.

-r
    Restore mode. Used to revert a failed or incomplete migration.

-s
    Skip eCryptfs setup. For advanced users who want to handle the setup manually.

-E
    Enable eCryptfs automatically on boot. Configures the system to automatically mount the encrypted home.

-h
    Displays a help message and exits.

ecryptfs-migrate-home is a utility script provided by the ecryptfs-utils package. Its primary purpose is to seamlessly convert an existing, unencrypted user home directory into an eCryptfs encrypted home directory. This is particularly useful for users who did not opt for home directory encryption during operating system installation but wish to add this security feature later.

The script handles the complex process of setting up the necessary eCryptfs mount points, copying all data from the old home directory to a newly created encrypted structure, and then swapping the directories. It ensures that the user's files are encrypted on disk, providing enhanced privacy and data protection. The process typically requires the target user to be logged out and often involves a system reboot after completion to finalize the changes.

Data Backup Critical: It is highly recommended to perform a full backup of the user's home directory before initiating the migration. While the tool is designed to be safe, data loss can occur in rare cases of system failure or unexpected interruptions.

User Must Be Logged Out: The target user (whose home directory is being migrated) must not be logged in during the entire process. No active processes should be accessing the home directory.

Root Privileges: The command must be executed with root privileges (sudo).

Disk Space: Ensure sufficient free disk space. The migration process temporarily requires disk space equal to or greater than the size of the original home directory to create the encrypted copy.

Potential for Interruption: Do not interrupt the migration process once it has started. Interruptions can lead to an inconsistent state, making recovery difficult.

System Reboot: A system reboot is often required after a successful migration to ensure all changes are applied and the encrypted home directory is properly mounted.

Recovery (-r option): In case of issues, the -r (restore) option can sometimes be used to revert the changes, but its success depends on the stage at which the migration failed.

Before running ecryptfs-migrate-home, it's advisable to perform a few checks:

- Ensure ecryptfs-utils package is installed.
- Verify that the target user is logged out.
- Check for sufficient free disk space (df -h).
- Confirm the integrity of the existing home directory.

After the migration and a system reboot, it's crucial to verify that the encryption is active:

- Log in as the migrated user.
- Check the mount points using mount | grep ecryptfs. You should see /home/username mounted on .Private and .ecryptfs/username/.ecryptfs on username's home directory.
- Create a new file and then log out and log back in to ensure it's still accessible.
- Optionally, inspect the raw disk (if possible) to confirm that files appear encrypted outside the mounted home.

ecryptfs-migrate-home is part of the ecryptfs-utils package, which provides a set of command-line tools for managing eCryptfs encrypted filesystems. eCryptfs itself is a stacked cryptographic filesystem for Linux, designed to provide per-file encryption. The ecryptfs-utils suite, including ecryptfs-migrate-home, was developed to simplify the setup and management of eCryptfs encryption, particularly for user home directories, which became a common feature in distributions like Ubuntu for enhanced security. Its development has focused on automating the complex steps involved in migrating data securely.

ecryptfs-mount-private(1), ecryptfs-setup-private(1), ecryptfs-unwrap-passphrase(1), mount(8), umount(8), cryptsetup(8), pam_ecryptfs(8)