The best way to recover is by using the ecryptfs-recover-private utility from a LiveISO.
I say that because this will ensure that your recovery happens in a safe, repeatable, read-only environment.
That said, you certainly can run ecryptfs-recover-private on a running system. But I'd strongly recommend that you log out all instances of the user you're trying to recover, and then login as root or some other user.
If you're using ecryptfs
(it's the standard way to encrypt home folders, so probably are) then when you changed your user password you lost automatic access to your encrypted home (as you discovered). That should not have happened with most regular ways to change your password (like passwd
), they're supposed to use PAM to update the encryption automatically (but not if an administrator changes/resets the password, or it wouldn't be secure).
ecryptfs
actually recommends that you keep a backup copy of the actual passphrase it uses (it's not your login passphrase, but it is encrypted or "wrapped" with your login passphrase) just in case something happens to the wrapped passphrase file you're referring to.
But using ecryptfs-unwrap-passphrase
you should be able to find out the actual ecryptfs passphrase.
Using ecryptfs-rewrap-passphrase
you could use your old user passphrase to "unwrap" the ecryptfs passphrase, then "re-wrap" it it with your new user passphrase. Here's a clip from it's man
page:
NAME
ecryptfs-rewrap-passphrase - unwrap an eCryptfs wrapped passphrase, re‐
wrap it with a new passphrase, and write it back to file.
SYNOPSIS
ecryptfs-rewrap-passphrase [file]
printf "%s\n%s" "old wrapping passphrase" "new wrapping passphrase" |
ecryptfs-rewrap-passphrase [file] -
But I'd make a backup copy of any files before running that on them. (ps. you don't need to use the printf...
format, it works just running ecryptfs-rewrap-passphrase [file]
if you don't mind typing the passphrases).
And you could run ecryptfs-recover-private
to just mount any ecryptfs encrypted private folders it finds, then backup/copy, etc.
See man ecryptfs
and the man
pages for all the ecryptfs-...
tools for some more info. And archlinux's wiki has some pretty good info at https://wiki.archlinux.org/index.php/ECryptfs
Best Answer
It should be stable.
Password changes should not be a problem with one caveat: you need to use a user level password change tool (e.g. from the
About Me
window, or running the command linepasswd
tool without root privileges).The encryption keys used for home folder encryption are themselves encrypted with your password. The normal password change process requires you to enter both your original and new passwords, so is able to re-encrypt these keys seamlessly. If you instead use an administrative password change (i.e. one that doesn't require your existing password), then this is not possible.
As expected, if you forget your existing password, you will lose access to your files if you have encrypted your home directory.