Ubuntu – How to regain access to the encrypted home directory after changing the password

12.04ecryptfs

On 12.04 LTS x64, I changed my user password via the User Accnts tool. After that I was unable to login again with my new password since my home directory is encrypted and the above-described bug does not allow decryption of the home directory with the new login password.
The passphrase to decrypt the home directory is saved in a folder on my encrypted home directory.

Is there any way to recover this passphrase and unlock my home directory?
Do not have separate record of the decryption passphrase. I still have a functioning Guest Account to which I have access, but I am not clear whether I can somehow gain access to the files in my encrypted user home directory while logged in as Guest and without having the decrypt passphrase. Please advise asap.

Best Answer

If you're using ecryptfs (it's the standard way to encrypt home folders, so probably are) then when you changed your user password you lost automatic access to your encrypted home (as you discovered). That should not have happened with most regular ways to change your password (like passwd), they're supposed to use PAM to update the encryption automatically (but not if an administrator changes/resets the password, or it wouldn't be secure).

ecryptfs actually recommends that you keep a backup copy of the actual passphrase it uses (it's not your login passphrase, but it is encrypted or "wrapped" with your login passphrase) just in case something happens to the wrapped passphrase file you're referring to.

But using ecryptfs-unwrap-passphrase you should be able to find out the actual ecryptfs passphrase.

Using ecryptfs-rewrap-passphrase you could use your old user passphrase to "unwrap" the ecryptfs passphrase, then "re-wrap" it it with your new user passphrase. Here's a clip from it's man page:

NAME
   ecryptfs-rewrap-passphrase - unwrap an eCryptfs wrapped passphrase, re‐
   wrap it with a new passphrase, and write it back to file.

SYNOPSIS
   ecryptfs-rewrap-passphrase [file]

   printf "%s\n%s" "old wrapping passphrase" "new wrapping  passphrase"  |
   ecryptfs-rewrap-passphrase [file] -

But I'd make a backup copy of any files before running that on them. (ps. you don't need to use the printf... format, it works just running ecryptfs-rewrap-passphrase [file] if you don't mind typing the passphrases).

And you could run ecryptfs-recover-private to just mount any ecryptfs encrypted private folders it finds, then backup/copy, etc.

See man ecryptfs and the man pages for all the ecryptfs-... tools for some more info. And archlinux's wiki has some pretty good info at https://wiki.archlinux.org/index.php/ECryptfs

Related Solutions

Ubuntu – Encrypted Home directory not auto mounting

Okay, so while it's possible to use SSH Public Key authentication to log into your system without entering a password (even if your home directory is encrypted), it's not possible to automatically mount your encrypted home directory.

To solve this, you'll need to add a line to the end of your unmounted $HOME/.profile:

ecryptfs-mount-private

This will ensure that after you've logged in using SSH Public Key authentication, you'll be prompted for your password and will mount your encrypted data. If it's already mounted, then this command should just silently succeed.

Enjoy!

Full disclosure: I'm one of the authors and maintainers of eCryptfs.

Ubuntu – Encrypted Home… Forgotten Password, but no Passphrase

The encrypted home directory (and encrypted private folder) features make use of a random mount passphrase. This mount passphrase is then stored encrypted with the user's login password. On login, the user's password is used to decrypt the mount passphrase and the key is used to mount the home directory.

When you perform a normal password change where the old password is requested before entering the new one, the mount passphrase can be re-encrypted with the new login password. When you perform an administrative password change, this can't be done since the key used to decrypt the mount passphrase is not provided.

In order to get in to the encrypted home directory now, you will need one of the following:

the old login password for the account.
the mount passphrase used when you set up the encrypted home directory (you would have been told to write this down somewhere).

If you have either of these, you should be able to access the data by running the following command and following the prompts:

sudo ecryptfs-recover-private /home/user

If you don not have either of these pieces of information, then the information is lost. This is by design, since if you could access the data under these circumstances then so could an attacker.

Best Answer

Related Solutions

Ubuntu – Encrypted Home directory not auto mounting

Ubuntu – Encrypted Home… Forgotten Password, but no Passphrase

Related Question