In the spirit of the FHS, Encrypted Home Directories in Ubuntu 9.04 stored certain configuration information about your Encrypted Home setup in /var/lib/ecryptfs.
However “correct” this location might be, it has caused considerable pain to a number of users, mostly because people don’t backup /var/lib, generally. That said, it is totally possible to re-generate all of the information in your /var/lib/ecryptfs directory if you recorded your all-important mount passphrase.
In any case, this is not the most user-friendly place to store this information.
Thus, in Karmic, we are using /home/.ecryptfs instead of /var/lib/ecryptfs. Each user encrypting their home directory will have a a directory in /home/.ecryptfs/$USER which will contain the “real” .ecryptfs and .Private directories.
This provides a couple of advantages.
First, your /home directory is completely self-contained. You can backup that entire hierarchy and save all of the data necessary (excepting your secret passphrase, of course). Actually, many users make /home a separate partition.
Secondly, having access to /home/.ecryptfs/$USER/.Private means that you can much more easily perform backups of your encrypted data. This feature has been requested many, many times.
You can actually take advantage of this same configuration in Ubuntu 9.04, if you follow the guide below. I recommend doing so 
As always, you should log out of all desktop sessions, and perform these instructions from a tty terminal, or an ssh session.
#!/bin/sh -e # Move out of your home directorycd / # If your encrypted home is not mounted, try to mount itgrep -qs " $HOME ecryptfs " /proc/mounts || ecryptfs-mount-private # With root privilege, create a /home/.ecryptfs/$USER directorysudo mkdir -p /home/.ecryptfs/$USER # Make sure $USER owns thatsudo chown $USER:$USER /home/.ecryptfs/$USER # Rename your /var/lib/ecryptfs/$USER dir to the new locationsudo mv -f /var/lib/ecryptfs/$USER /home/.ecryptfs/$USER/.ecryptfs # Remove the two symlinks in your mounted home, to .ecryptfs and .Privaterm -f $HOME/.ecryptfs $HOME/.Private # Establish links to these two dirsln -sf /home/.ecryptfs/$USER/.ecryptfs $HOME/.ecryptfsln -sf /home/.ecryptfs/$USER/.Private $HOME/.Private # Unmount homewhile ecryptfs-umount-private | grep "Sessions still open"; dotruedone # Make your unmounted home writable (briefly)sudo chmod 700 $HOME # Move the *real* .Private directory to the new locationmv -f $HOME/.Private /home/.ecryptfs/$USER/ # Remove the .ecryptfs and .Private linksrm -f $HOME/.ecryptfs $HOME/.Private # Re-establish the .ecryptfs and .Private linksln -sf /home/.ecryptfs/$USER/.ecryptfs $HOME/.ecryptfsln -sf /home/.ecryptfs/$USER/.Private $HOME/.Private # Mount your home directory againecryptfs-mount-private
ustin
August 7, 2009 at 9:37 am
Great. This is a real improvement! Thanks for this.
/imexil
August 7, 2009 at 3:50 pm
Hi Dustin, thanks for this post.
Could you please explain the above block of commands for Ubuntu 9.04 users a bit? More specifically, I do not have a ~/.Private as long as my encrypted home folder is mounted. So some of the commands will not do anything. Is this okay?
Sorry for being chicken-hearted, but I do not want to brake my by now perfect setup.
Thanks again, Kevin.
August 7, 2009 at 4:09 pm
@Kevin-
Done. See inline comments.
August 7, 2009 at 4:36 pm
Great, thanks! I nearly got it. Still, there is no $HOME/.Private in my encrypted home while mounted. Should it be there? (I installed my 9.04 with the "encrypt home folder flag" enabled in the installer as you show in an earlier post. Everything worked fine for months now…)
Regards, Kevin.
August 12, 2009 at 3:44 pm
After running ecryptfs-setup-private I found I had to run "pam-auth-update –force" to get ecryptfs to automount (to get it into the /etc/pam.d/* config files).
Running pam-auth-update by itself complained that there were local modifications to /etc/pam.d/common-* so I had to use –force … I can't quite remember but I may have been monkeying around with pam.d trying to get my finger print reader to work a long time ago…