encrypted home dir tale of woe :-)

Karl Auer kauer at biplane.com.au
Sun Jan 2 10:35:16 UTC 2011 

On Sun, 2011-01-02 at 11:35 +0200, Marius Gedminas wrote:
> there's nothing pam_gnome_keyring can do.  This is a design thing: the
> keyring is encrypted with the keyring password, so that nobody can
> access any data inside it if they get the encrypted file.  If you forget
> the password, you lose your keyring, and the filesystem encryption
> passphrase with it.

Losing my keyring was not a problem - I had all the keys that would have
been stored within it, and the login password is by definition external
to it. The problem was that the forgotten password was *also* the key to
the encrypted dir.

Upon encrypting my home dir during the Maverick install, I was given a
long hex passphrase to store safely. I was informed that this would
allow decryption of my home dir if my login password ever got lost. I
seem to recall it actually saying that the encryption key was normally
the login password.

So I'm fairly sure that your theory is incorrect, though I appreciate
the thought :-)

What irritates me most is that the passphrase did not work. I realise
there is no way now to prove it, but I am pretty much certain I neither
recorded it incorrectly nor entered it incorrectly.

> When you say Nautilus, I assume you mean the GNOME "About Me" dialog?

Yes.

> There's an open bug against it:
> 
>   https://bugzilla.gnome.org/show_bug.cgi?id=616703
>   https://bugs.launchpad.net/gnome-keyring/+bug/416825
>   https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/268731

I'm not so sure this is a bug, but whichever way it is supposed to work
it should do so consistency.

> so, no, it appears that changing the password that way is a sure way to
> lose access to your encrypted home directory.

Again, you sequence you describe does indeed lose the encrypted dir IFF
you no longer have the old password to unlock the keyring AND you don't
have the original passphrase.

> To summarize:
> 
>   $ passwd as user --> safe
>   # passwd as root --> breaks access to encrypted homes
>   $ gnome-about-me --> breaks access to encrypted homes

I think that should be "breaks access to keyring" - but even then it's
only if you've actually lost the original keyring password. If you
haven't, you cam use the appropriate utility to set the keyring password
to match your login password (which should arguably be automatic).

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/                   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20110102/8919a91b/attachment.sig>

More information about the ubuntu-users mailing list