encrypted home dir tale of woe :-)

Karl Auer kauer at biplane.com.au
Sat Jan 1 01:54:58 UTC 2011 

Hi all.

Here's a cautionary tale about encrypted home dirs with maverick.

Installing maverick, I thought I would encrypt my home directory. As
part of the process, I was given a long string of hex digits and told to
take good care of it, so I did - I wrote it down in two locations and
checked them very carefully.

Everything worked fine. A week later, I wanted to change my password, so
I did. Everything still worked fine. Except that not two hours later I
had managed to forget my new password. Argh! Idiot!

No problem, I thought - I'll just reboot into recovery mode and set my
password anew. Did so - but although I could log in with my new
password, it did not unlock my home directory. Oh dear. Clearly the
login password and the encryption key are not directly related. Not sure
why I imagined they would be.

The result on logging in was a bit sad - Nautilus would not start!

No problem, I thought - I'll go get that long string of hex digits that
I so carefully recorded and unlock my home directory the hard way. So I
did that - but the passphrase was not accepted by
ecryptfs-unwrap-passphrase. Yes, I typed it correctly. I would swear
blind that I had written it down correctly too. But I suppose I must not
have.

Ok, so I checked the FAQ:

   Q: What do I do if I have lost my password/passphrase?
   A: Nothing, you're screwed.

So I reinstalled my home dir. Because I back up regularly, I didn't lose
much - only about a days' worth of saved emails.

From this I have learned the following lessons:

- be extraordinarily careful in preserving that passphrase
- test it to make certain you have in fact recorded it correctly
- test a change of password before you use your new encrypted home dir
- backups are good :-)

And I have an open question: If I'd changed my password from inside
Nautilus rather than just using "passwd" on the command line, would it
have done something behind the scenes to allow my home dir to decrypt
using the new password? Or would I have ended up with the same problem? 

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/                   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20110101/3b40406a/attachment.sig>

More information about the ubuntu-users mailing list