ecryptfs default config

[John Moser]

did you change your password from your account or using the root account?

It looks like pam actually stores encryption keys in /var/lib/ somewhere 
and can re-cypher them.  That only works if you enter the previous 
password when changing passwords, though (which I hadn't considered, 
since normally when you init=/bin/bash you drop straight to root...)

On 09/02/2012 09:37 AM, Damian Ivanov wrote:
> Hi John,
>
> I appreciate your fast answer!
> So what can I do to prevent this default behaviour? e.g if password
> gets changed data is unreadable unless to have the secret key?
> Wouldn't this be a more reasonable default?
>
> Best regards,
> Damian
>
> 2012/9/2 John Moser <john.r.moser at gmail.com>:
>> Yes that would indicate that there's a key stored somewhere that doesn't
>> need a known secret, unless pam is storing a key and re-crypting it when you
>> change passwords (unlikely).
>>
>>
>> On 09/02/2012 09:16 AM, Damian Ivanov wrote:
>>> Hi folks,
>>>
>>> I just did an ubuntu 12.04 fresh install and I wanted to test
>>> something in ecryptfs. So basically I selected during install to
>>> require password to login and to encrypt home folder. I logged in and
>>> created secret.txt on my desktop and shut down. I booted up again but
>>> in bootloader I appended init=/bin/bash booted into the root shell,
>>> did a
>>> mount -o remount,rw / and passwd $my_user set a new password and
>>> rebooted.  After reboot I logged into $my_user account with the new
>>> password. secret.txt is readable and all other files too. Is this the
>>> expected behaviour?! If yes isn't it better to change the behaviour to
>>> something more secure...
>>>
>>> Regards,
>>> Damian
>>>