Ubuntu – ecryptfs and login passphrase vs mount passphrase

ecryptfsencryptionpassword

I installed ecryptfs-utils and used it to create a Private encrypted folder in my home directory.

During creation of Private encrypted folder I was asked for a login passphrase and a mount passphrase. As far as I understood the login passphrase should match my Ubuntu user login password and the mount passphrase should be required to access the encrypted folder.

To my surprise, instead, whenever I want to mount my Private folder running command ecryptfs-mount-private, I am asked for my login passphrase instead of my mount passphrase. Is it so that ecryptfs is expected to behave?

I thought that the two passfrases were a double protection in case someone crack my login password, to protect my most private data.

So, what the mount passphrase is useful for and when someone (who) is required to use it?

Best Answer

These are not my words but I can not explain it better …

login passphrase

This is the password you will have to enter each time you want to mount the encrypted directory. If you want auto-mounting on login to work, it has to be the same password you use to login to your user account.

mount passphrase

This is used to derive the actual file encryption master key. Thus, you should not enter a custom one unless you know what you are doing - instead press Enter to let it auto-generate a secure random one. It will be encrypted using the login passphrase and stored in this encrypted form in ~/.ecryptfs/wrapped-passphrase. Later it will automatically be decrypted ("unwrapped") again in RAM when needed, so you never have to enter it manually. Make sure this file does not get lost, otherwise you can never access your encrypted folder again! You may want to run ecryptfs-unwrap-passphrase to see the mount passphrase in unencrypted form, write it down on a piece of paper, and keep it in a safe (or similar), so you can use it to recover your encrypted data in case the wrapped-passphrase file is accidentally lost/corrupted or in case you forget the login passphrase.

Source

Related Question