Encryption – Will Changing Password Re-encrypt Home Directory

ecryptfsencryptionpassword

I need to change my user password. Do I need to take any extra steps for my encrypted home directory to become inaccessible with my old password and only accessible with my new password?

Best Answer

There is no need to re-encrypt your home directory, and no further steps need to be taken.

Your home directory is not directly encrypted with your password. Instead, the passphrase used to encrypt the home directory is itself encrypted with your password.

When you change your password, the home directory passphrase is re-encrypted with your new password, so you should have continued access to your files with the new password.

This is handled via PAM (Pluggable Authentication Modules), so should work with any password change tool. The exception is administrative password changes where the original password is not provided. This is expected behaviour though: if the administrator could decrypt your files without knowing your password then there would be no actual protection.

In the case you perform an administrative password change, after mounting your home directory with

ecryptfs-mount-private

and your old password, issue

ecryptfs-rewrap-passphrase ~/.ecryptfs/wrapped-passphrase

to change the unwrapping password to match your new one. This way your home directory will be auto-mounted at login, just as it used to.