The encrypted home directory (and encrypted private folder) features make use of a random mount passphrase. This mount passphrase is then stored encrypted with the user's login password. On login, the user's password is used to decrypt the mount passphrase and the key is used to mount the home directory.
When you perform a normal password change where the old password is requested before entering the new one, the mount passphrase can be re-encrypted with the new login password. When you perform an administrative password change, this can't be done since the key used to decrypt the mount passphrase is not provided.
In order to get in to the encrypted home directory now, you will need one of the following:
- the old login password for the account.
- the mount passphrase used when you set up the encrypted home directory (you would have been told to write this down somewhere).
If you have either of these, you should be able to access the data by running the following command and following the prompts:
sudo ecryptfs-recover-private /home/user
If you don not have either of these pieces of information, then the information is lost. This is by design, since if you could access the data under these circumstances then so could an attacker.
If you're using ecryptfs
(it's the standard way to encrypt home folders, so probably are) then when you changed your user password you lost automatic access to your encrypted home (as you discovered). That should not have happened with most regular ways to change your password (like passwd
), they're supposed to use PAM to update the encryption automatically (but not if an administrator changes/resets the password, or it wouldn't be secure).
ecryptfs
actually recommends that you keep a backup copy of the actual passphrase it uses (it's not your login passphrase, but it is encrypted or "wrapped" with your login passphrase) just in case something happens to the wrapped passphrase file you're referring to.
But using ecryptfs-unwrap-passphrase
you should be able to find out the actual ecryptfs passphrase.
Using ecryptfs-rewrap-passphrase
you could use your old user passphrase to "unwrap" the ecryptfs passphrase, then "re-wrap" it it with your new user passphrase. Here's a clip from it's man
page:
NAME
ecryptfs-rewrap-passphrase - unwrap an eCryptfs wrapped passphrase, re‐
wrap it with a new passphrase, and write it back to file.
SYNOPSIS
ecryptfs-rewrap-passphrase [file]
printf "%s\n%s" "old wrapping passphrase" "new wrapping passphrase" |
ecryptfs-rewrap-passphrase [file] -
But I'd make a backup copy of any files before running that on them. (ps. you don't need to use the printf...
format, it works just running ecryptfs-rewrap-passphrase [file]
if you don't mind typing the passphrases).
And you could run ecryptfs-recover-private
to just mount any ecryptfs encrypted private folders it finds, then backup/copy, etc.
See man ecryptfs
and the man
pages for all the ecryptfs-...
tools for some more info. And archlinux's wiki has some pretty good info at https://wiki.archlinux.org/index.php/ECryptfs
Best Answer
There is no need to re-encrypt your home directory, and no further steps need to be taken.
Your home directory is not directly encrypted with your password. Instead, the passphrase used to encrypt the home directory is itself encrypted with your password.
When you change your password, the home directory passphrase is re-encrypted with your new password, so you should have continued access to your files with the new password.
This is handled via PAM (Pluggable Authentication Modules), so should work with any password change tool. The exception is administrative password changes where the original password is not provided. This is expected behaviour though: if the administrator could decrypt your files without knowing your password then there would be no actual protection.
In the case you perform an administrative password change, after mounting your home directory with
and your old password, issue
to change the unwrapping password to match your new one. This way your home directory will be auto-mounted at login, just as it used to.