encrypted home directory / wrapped-passphrase

C de-Avillez hggdh2 at ubuntu.com
Sat Jul 21 16:37:01 UTC 2012 

On Thu, 19 Jul 2012 14:26:35 -0700
scar <scar at drigon.com> wrote:

> hi i used the ecryptfs-migrate-home command to encrypt my home
> directory, and during that process i am told:
> 
> ************************************************************************
> YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE
> LOCATION. ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
> THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER
> TIME.
> ************************************************************************

Yes. This encrypted passphrase should be saved -- unencrypted (and
probably re-encrypted with another key). 
 
> so i run that command and get the ~/.ecryptfs/wrapped-passphrase file,
> which it seems to me should be moved elsewhere, like removable
> storage, since it sounds like this file is to be used when i forget
> my password.

No, this file should be kept there -- otherwise it will not be possible
to decrypt your ecryptfs.


> 
> however, when i move that file, my home directory no longer gets
> decrypted when i log in and i get all these errors starting with one
> about .ICEauthority file or something.

Yep -- the ecrypfs utils will automagically decrypt this passphrase,
and pass it over to the ecryptfs -- which will, then, be able to mount
and use your home directory.

> 
> if i move that wrapped-passphrase file back to ~/.ecryptfs then things
> get decrypted when i log in.  so it seems like that file is necessary
> but its also stored in an unencrypted location for whomever steals my
> computer to use to decrypt my home directory, defeating the whole
> point of encryption.  i guess i'm obviously not understanding
> something here, can someone clarify?  thanks

You might be interested in the stackexchange page about ecryptfs [1] --
a lot of questions and answers about ecryptfs.

There is also a excrow service from Gazzang [2].

Cheers,

..C..



[1] http://stackexchange.com/search?q=ecryptfs
[2] http://gazzang.com/products/zescrow

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20120721/14e25871/attachment.sig>

More information about the ubuntu-users mailing list