Ubuntu – Change the passphrase of an ecryptfs directory


I want to have an encrypted directory (not homedir!) let's say /testdata.

I have used the following command and parameters to encrypt it:

root@pc:~# mount -t ecryptfs /testdata/ /testdata/
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 
Enable plaintext passthrough (y/n) [n]: 
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [b9fc92f854a4c85b]: 
Attempting to mount with the following options:
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key 
before. This could mean that you have typed your 
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [b9fc92f854a4c85b] to
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs

This command creates this file:

root@pc:~# cat .ecryptfs/sig-cache.txt 

Now I want to change the passphrase I used before. I found the ecryptfs-rewrap-passphrase command but I am not sure if I am on the right path:

root@pc:~# ecryptfs-rewrap-passphrase .ecryptfs/sig-cache.txt 
Old wrapping passphrase: 
New wrapping passphrase: 
New wrapping passphrase (again): 
Error: Unwrapping passphrase failed [-5]
Info: Check the system log for more information from libecryptfs

/var/log/syslog says:

Jul 13 13:16:19 pc ecryptfs-rewrap-passphrase: ecryptfs_unwrap_passphrase: PK11_CipherOp() error; SECFailure = [-1]; PORT_GetError() = [-8188]

I have a newbie status in regards to ecryptfs and I would appreciate some enlightenment here.

Best Answer

I see you are trying to push the password in a file that is having other meaning.

ecryptfs-rewrap-passphrase /home/.ecryptfs/$USER/.ecryptfs/wrapped-passphrase 

or most certainly… but better search manually for the wrapped-passphrase in your .ecryptfs hidden directory:

ecryptfs-rewrap-passphrase /home/$USER/.ecryptfs/wrapped-passphrase

I think this is the right command for changing the password, where $USER is your user

P. S.: Better not to be logged in and with your folder decrypted.