Ubuntu – Can root see the encrypted /home folder

ecryptfsencryptionpasswordpermissions

Just wondering if I use ecryptfs to encrypt my /home folder

sudo ecryptfs-migrate-home -u username

Can another user with root privilege change my password, then login my account using the new password see my encrypted /home?

If I change my own password, I suppose I can still access my encrypted /home , how is it different from root changing my password and login as me?

Best Answer

Short answer: Yes and no.

Can root see my encrypted /home folder?

Yes. As long as you are logged in, root as well as any sudo user can see your decrypted files. Also, when you wake up from sleep, your /home will still be decrypted.

Also there is a bug in ecryptfs that prevents unmounting the decrypted /home folder at logout. You should instead shutdown or restart the machine or manually unmount the folder from another sudo/root user. See this question for more information.

Can another user with root privilege change my password, then login my account using the new password see my encrypted /home?

No. Your /home folder is not encrypted with your password, but with a passphrase which is encrypted with your password. Another user changing your password will not affect the passphrase.

At the first login after an administrative password change, you have to mount your encrypted home manually and rewrap the passphrase. For these tasks you need your old and the new password

ecryptfs-mount-private
ecryptfs-rewrap-passphrase ~/.ecryptfs/wrapped-passphrase

When you change your password, the home directory passphrase is re-encrypted with your new password, so you should have continued access to your files with the new password. This is handled via PAM (Pluggable Authentication Modules) (via).

See this related question.

Related Solutions

Ubuntu – Ecryptfs – Encrypt second folder (for dropbox) in addition to encrypted home folder

eCryptFS is not designed for cloud storage. It assumes it is the only application accessing your ciphertexts and runs into undefined behavior when some other application (say your Dropbox client) modifies them. EncFS also has its problems as explained here.

You might want to take a look at CryFS https://www.cryfs.org

Ubuntu – Changed password – now can’t login to the account (full disk encyption + encrypted home folder)

For completeness' sake, I post the solution we found during our conversation in the comments section as an answer:

First of all, you are probably able to boot into your Linux system, you may just not be able to log in graphically, since graphical login usually tries to read/write in your home directory. You can still try to log in using a virtual console (Ctrl + Alt + F1) and work from there.

Using a Live CD instead should also work. You can mount your encrypted system partition from the Live CD, too. For example, you can run gnome-disk-utility on your Live CD and decrypt+mount your system partition from there graphically.

Also, watch out that the instructions in the linked tutorial assume that you are logged in as the user whose home you want to rescue. If you are logged in as another user (e.g. root), then replace the command

ecryptfs-rewrap-passphrase ~/.ecryptfs/wrapped-passphrase

by something like

ecryptfs-rewrap-passphrase /home/[the-user-you-whose-home-you-want-to-rewrap]/.ecryptfs/wrapped-passphrase

or (on a Live CD) by something like

ecryptfs-rewrap-passphrase /[wherever-you-temporarily-mounted-the-home-partition]/[the-user-you-whose-home-you-want-to-rewrap]/.ecryptfs/wrapped-passphrase

Best Answer

Related Solutions

Ubuntu – Ecryptfs – Encrypt second folder (for dropbox) in addition to encrypted home folder

Ubuntu – Changed password – now can’t login to the account (full disk encyption + encrypted home folder)

Related Question