ecryptfs questions

sktsee sktseer at gmail.com
Sun Apr 5 00:30:35 UTC 2015 

On Sat, 04 Apr 2015 15:15:03 +0200, Petter Adsen wrote:

> I have a ~/Private that is encrypted with ecryptfs, set up by the
> installer. To me, this is preferable to encrypting the entire /home disk
> with LUKS, as my machine doesn't have AES-NI extensions, and I can pick
> out what I want to be encrypted.
> 
> However, the installer set it up so that it is mounted on login. I can
> understand that this is convenient to many people, but I would rather be
> prompted for a separate passphrase or have to run a script that mounts
> it and asks for the passphrase, to provide a second layer for anyone
> trying to get to my private data.
> 
> I assume the automatic authorization on login is somehow happening
> through PAM. Is there an easy way to disable this, so that I have to
> provide the passphrase that differs from my login password?

Yes.

****YOU SHOULD BACKUP,COPY,ARCHIVE,MEMORIZE,ETC. ALL YOUR DATA BEFORE 
PERFORMING THE FOLLOWING STEPS.*****

Best to do this in a virtual terminal (ALT-F1) rather than logged into a 
GUI session since you have ~/.cache in Private.

1. Unmount your encrypted directory
$ ecryptfs-umount-private

2. setup a new wrap passphrase independent from your login
$ ecryptfs-rewrap-passphrase ~/.ecryptfs/wrapped-passphrase

3. Write down mount passphrase for recovery purposes
$ ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase

4. create empty file to indicate independent passphrase for pam
$ touch ~/.ecryptfs/wrapping-independent

5. Logout

6. Login and you should be prompted for "Encrypted Password:" (the 
password you created in Step 2)  after the regular login password prompt. 
This goes also for the lightdm login. 

> 
> Also, I have moved all private ssh/gpg keys, some documents, the
> KeepassX db, etc into ~/Private, along with ~/.cache, ~/.mozilla and my
> mail folder. Can anyone else think of anything I might have missed that
> might contain things that should be kept private?
> 
> (Yes, ~/.cache might be overkill, but I didn't want to dig into what's
> actually in it.)
> 

I think some programs (like Pidgin, or Xchat) keep unencrypted passwords 
in their config files that are either located within their named 
directory, or in ~/.config.

-- 
sktsee

More information about the ubuntu-users mailing list