ecryptfs-migrate-home

ecryptfs-migrate-home [-u username | --user=username] [--no-logout] [username]

-u username, --user=username
    Migrate specified username's home directory (default: current user). Requires root for non-current users.

--no-logout
    Skip automatic logout prompt after successful migration.

username
    Positional argument specifying user (alternative to -u)

ecryptfs-migrate-home converts an existing unencrypted user home directory to an eCryptfs-encrypted one nondestructively. eCryptfs provides stacked, kernel-level file encryption, protecting data at rest while allowing transparent access when mounted.

The process prompts for the user's login passphrase (default) and an optional separate encryption passphrase to derive the FEK (file encryption key) and FEK signature stored in ~/.ecryptfs/. It generates configuration files like ecryptfs.conf, Private.sig.

It mounts a temporary eCryptfs plaintext view (e.g., at /tmp/ecryptfs.<user>.tmp), uses rsync to copy all files from ~ preserving permissions/ownership/special files, then unmounts. Original home contents are moved into the new ~/.ecryptfs/Private (ciphertext-wrapped directory). The home root is prepared as a mountpoint.

On next login, PAM's pam_ecryptfs automatically mounts eCryptfs, stacking decrypted view atop /home/<user>, hiding .ecryptfs/. Data appears unchanged but is encrypted on disk.

Supports migrating current user or specified user (as root). Defaults to prompting logout post-migration for verification. Run with no active processes/files open in home to avoid sync issues. Integrates with Ubuntu's encrypted home setup.

Backup data first; migration moves files to ~/.ecryptfs/Private. Close processes with open home files to prevent inconsistencies. Test relogin immediately. Fails if ~/.ecryptfs exists or insufficient space. eCryptfs deprecated upstream; prefer LUKS/ecryptfs alternatives like fscrypt. Run as target user or root.

Requires ecryptfs-utils package. After migration, ~/.ecryptfs/Private holds encrypted data; never edit directly unmounted. Revoke access: ecryptfs-migrate-home -u <user> --no-logout then umount manually.

ecryptfs-migrate-home
Migrates current user interactively.

sudo ecryptfs-migrate-home -u demo
Migrates demo user (run as root).

Part of eCryptfs-utils since ~2008, developed by Canonical (Dustin Kirkland et al.) for Ubuntu. eCryptfs kernel module upstreamed in Linux 2.6.19 (2007). Widely used in Ubuntu until 20.04; phased out post-22.04 for encfs/LUKS.

ecryptfs-setup-private(1), ecryptfs-mount-private(1), ecryptfs-umount-private(1), pam_ecryptfs(8), mount.ecryptfs(8)