Home / ubuntu / Questions / 1220321
In Process
albertma789
Asked: 2020-03-26 23:56:11 +0800 CST

How do I decrypt a home folder from another machine using fscrypt?

  • 772

I have 2 machines (machine1 & machine2) both running Ubuntu 18.04. Both machines use fscrypt to encrypt the home folder (using login passphrase). If I remove the hard disk (hd1) from machine1 and plug it into machine2, how do I decrypt the home folder of machine1?

Assuming hd1 is sdb and mounted to /mnt/hd1/ The following commands are run as user2 from machine2

>>> fscrypt status

filesystems supporting encryption: 2
filesystems with fscrypt metadata: 2

MOUNTPOINT           DEVICE       FILESYSTEM  ENCRYPTION     FSCRYPT
/                    /dev/sda2    ext4        supported      Yes
/mnt/hd1             /dev/sdb2    ext4        supported      Yes


>>> fscrypt status /mnt/hd1/
ext4 filesystem "/mnt/hd1" has 1 protector and 1 policy

PROTECTOR         LINKED  DESCRIPTION
7db5baf4xxxxxxxx  No      login protector for user1

POLICY            UNLOCKED  PROTECTORS
0000ed45xxxxxxxx  No        7db5baf4xxxxxxxx


>>> fscrypt unlock /mnt/hd1/home/user1
fscrypt unlock: user keyring not linked into session keyring

This is usually the result of a bad PAM configuration. Either correct the problem in your PAM stack, enable
pam_keyinit.so, or run "keyctl link @u @s".

>>> fscrypt unlock /mnt/hd1/home/user1 --unlock-with=/mnt/hd1:7db5baf4xxxxxxxx
fscrypt unlock: user keyring not linked into session keyring

This is usually the result of a bad PAM configuration. Either correct the problem in your PAM stack, enable
pam_keyinit.so, or run "keyctl link @u @s".

Must I unlock the home folder of user1 only if I am logged-in as user1? Can user2 unlock the home folder if he has user1's login passphrase? Can it be done from a different machine?

encryption home-directory keyrings decryption

1 Answers

  1. What you need is a new protector for your disk.

    fscrypt has two important terms: Protectors and policies. Protectors are secrets used to protect the data. Policies are the actual key that encrypts the data. In other words, you have protectors that can open the policies that in turn decrypt the data.

    On the machine1, add a new protector with the following command: sudo fscrypt metadata create protector /mnt/hd1. Choose custom passphrase.

    Using fscrypt status /mnt/hd1, look up the ids from the newly created protector and the existing policy.

    Add this newly created protector to the policy with sudo fscrypt metadata add-protector-to-policy --protector=/mnt/hd1:[protector_id] --policy=/mnt/hd1:[policy_id] (replacing the ids with the ones you got before). Select the login and input the passphrase here.

    With fscrypt status /mnt/hd1 you should see that the policy now has the new protector. On machine2 you should be able to unlock the directory with fscrypt unlock /mnt/hd1/home/user1, using the newly created passphrase.

    • 1