Home / ubuntu / Questions / 820162
Accepted
XavierStuvw
Asked: 2016-09-03 10:46:53 +0800 CST

The password for encrypted file system is not updated when I change the user password

  • 772

Antecedents

I am working with both Ubuntu 14.04 and 16.04 in separate desktops. All disks are encrypted. I have changed the root and user passwords in several computers with sudo passwd and sudo passwd <username>.

Issues

When I log in, the new password is accepted by the greeter but the systems loops and I get the greeter again and again.

This has occurred to me

  • in one of two desktops running on Ubuntu 14.04
  • in one of two desktops running on Ubuntu 16.04

where I changed the password in the same way. No clue of what causes this difference between either computer that runs with the same version.

As I go into the console (CTRL+ALT+F1), I successfully log in as well. The console prompts into the appropriate /home/user.

However, in 14.04, the home directory contains only two files: Access-Your-Private-Data.desktop and README.txt instead of the full directory tree. On suggestion of the latter I do the following

  1. run ecrypts-mount-private,
  2. input my old password
  3. launch cd again,

and the whole directory content show up.

Since in 16.04 the booter explicitly asks for the ecryptfs password prior to moving on to the greeter, the user can actually type in the old password in due course and avoid falling in the loop. This is less inconvenient than in 14.04 but still an undesired behaviour.

Therefore, the encryption password is lagging behind the root and user passwords when these are updated.

This topic is similar to the questions

The answers given there, if any at all, are inconclusive for me. I have gathered the following information

  • x-session error
  • tail -50 /var/log/Xorg.0.log
  • ls -l ~/.Xauthority gives -rw------- 1 user user 227 Sep 2 16:04 .Xauthority hence no permission issue, I believe
  • ls -l / | grep tmp gives drwxrwxrwt 4 root root 28672 Sep 2 19:13 tmp hence no sticky bit issue, I believe

Question

  • How do I align the ecryptfs password with the user password, so that they are the same at all times?
login

1 Answers

  1. Best Answer

    This line of action worked well in one computer of mine with Ubuntu 14.04. I name first password the previous one where all worked seamlessly, and second password the current one that gives you hassles with encryption.

    Note that Linux uses the word password whereas ecryptfs uses the word passphrase -- one difference is that a passphrase accepts spaces. Nowadays the difference between the two is blurred, since modern passwords accept spaces too, while the old naming persists. It's useful though to keep in check what you are talking with.

    An important difference within ecryptfs is that between the login passphrase and the mount passphrase. Here we are interested in the login passphrase.

    The starting point of this post is that first login passphrase = first login password. To view the mount passphrase after curiosity, launch ecryptfs-unwrap-passphrase -- you'll be asked the login passphrase to move on (and keep that mount passphrase safe elsewhere for good measure, if you haven't done so yet).

    Mount the encrypted home

    1. go to terminal with CTRL+ALT+F1
    2. login with the user whose encrypted home is not accessible (with second login password)
    3. launch ecyptfs-mount-private, note without sudo (else I get a fopen error)
    4. type in the first encryption passphrase (the first login password, because they were the same)
    5. check that the home directory has been unencrypted (with a ls-type command). If not, there is some other problem at play.

    Reverse the change of login password

    1. make the login password the same as the first encryption passphrase with a plain passwd command. Crucially, no sudo again. At this point the login password becomes the first one again, and the login password and login passphrase are the same again.

    Give the second value to the login password

    1. use again a plain passwd command to set the second login password. Crucially, no sudo again. At this point, ecryptfs will have updated the passphrase with the value given to passwd. This does not work if you use sudo passwd. Step 6 was necessary because successive passwords must be different.

    Expected outcome

    At next reboot the desktop environment should allow you to log in seamlessly by chaining the decryption into the accreditation process, since password and passphrase are the same (having the second value).

    Next time you want to change password and passphrase, log in as the user owning the encrypted home and use passwd, rather than sudo passwd -- source: http://bodhizazen.com/Tutorials/Ecryptfs/

    Another attempt to resorting to ecryptfs-rewrap-passphrase resulted in the deletion of encryption (data are preserved though), so I discourage that (issue https://unix.stackexchange.com/questions/329661, please be aware and help out if possible)

    • 1