Migrating eCryptfs-Encrypted Data to dm-crypt

As of August 2015, Filesystem-level encryption using eCryptfs is deprecated. Use this procedure to migrate to dm-crypt.

RHEL 7 does not support eCryptfs. For new installations on RHEL 7, you must use Block-Level Encryption with dm-crypt. If you are planning on upgrading to RHEL 7 and are currently using eCryptfs, migrate to dm-crypt before upgrading.

  1. Prepare an empty block device. This can be a physical block device (such as an unused disk) or a virtual block device (for example, a logical block device created by LVM, or a loop device). For instructions on creating a loop device, see Block-Level Encryption with a Loop Device.
  2. Stop any services which depend on the encrypted data to be moved.
  3. Prepare a block-level encrypted mount point. See Preparing for Encryption Using Cloudera Navigator Encrypt for details about the procedure. The following example uses a loop device, but the device can be any unused block device:
    $ sudo mkdir /dmcrypt/mountpoint
    $ sudo navencrypt-prepare /dev/loop0 /dmcrypt/mountpoint
  4. Add ACL rules for the new encrypted mount point that match the ACL rules for the mount point you are migrating from. To view existing ACL rules, run sudo navencrypt acl --print.
  5. Add an ACL rule for your preferred shell (for example, /bin/bash) to enable command-line utilities such as mv and cp:
    $ sudo navencrypt acl --add --rule="ALLOW @category * /bin/bash"
  6. Copy the encrypted data from the eCryptfs mount point to the dm-crypt mount point:
    $ sudo cp -rp /ecryptfs/mountpoint/path/to/data /dmcrypt/mountpoint/path/to/data
  7. Update any symbolic links referencing the encrypted data. The following example demonstrates updating a symbolic link for a PostgreSQL database that was originally encrypted using eCryptfs, but has been migrated to dm-crypt:
    $ sudo ls -l /var/lib/db/data/base/16385
    lrwxrwxrwx 1 root root 72 Jul 22 15:33 /var/lib/db/data/base/16385 -> /ecryptfs/mountpoint/postgres/var/lib/db/data/base/16385
    $ sudo ln -sif /dmcrypt/mountpoint/postgres/var/lib/db/data/base/16385 /var/lib/db/data/base/16385
    $ sudo ls -l /var/lib/db/data/base/16385
    lrwxrwxrwx 1 root root 72 Jul 22 15:33 /var/lib/db/data/base/16385 -> /dmcrypt/mountpoint/postgres/var/lib/db/data/base/16385
  8. Remove the ACL rule enabling command-line utilities:
    $ sudo navencrypt acl --del --rule="ALLOW @category * /bin/bash"
  9. Restart any services which depend on the encrypted data.
  10. Verify that the data was successfully copied, then delete the original eCryptfs-encrypted data. Do not delete any data until you are certain that you no longer need the original data.
    1. Stop the navencrypt-mount service:
      $ sudo service navencrypt-mount stop
    2. Remove the original mountpoint directory and the storage directory with the original encrypted data.
    3. Edit /etc/navencrypt/ztab and remove entries for the original encrypted directory where eCryptfs is listed as the <type>.
    4. Start the navencrypt-mount service:
      $ sudo service navencrypt-mount start