Encrypted home folder still accessible after logout

Known bug

If I understand correctly, this is a known bug.

See this link: wiki.archlinux.org/index.php/ECryptfs

Scroll down to the pink paragraph

Warning: Unfortunately the automatic unmounting is susceptible to break with systemd and bugs are filed against it ...

Work-around

As it is now, you had better shut down or reboot in order to remove the traces (It is not enough to log out).

I have been researching this issue for quite some time, i.e., unecrypted file system remains mounted after user logout.

I used "ecryptfs-migrate-home -u user" to create mount. followed directions and all works except no auto-unmount at logout.

I compared the config files in /etc/pam.d/ to pam_ecryptfs documentation and found the some differences. ecryptfs was in 4 of the pam.d config files whereas the pam_ecryptfs docs indicate just 2 files need/should/support ecryptfs, e.g.,

   /etc/pam.d/common-auth:
              auth    required        pam_ecryptfs.so unwrap
   /etc/pam.d/common-session:
              session optional        pam_ecryptfs.so unwrap

So, I commented out the other 2 instances, rebooted, and it all worked, auto-mounts at login and auto-unmounts on logout for both graphical and console logins. (I used alternate tty's to verify from root account)

This is on 18.04 Lubuntu on laptop, desktop and virtualbox guest (windows host).

I am interested in others experience.

edit_1: improved wording. edit_2: added desktop and VB test results.

I can't test or confirm this, but assuming that you are using ecryptfs (which is what Ubuntu offers during install, IIRC), the encrypted data is stored in a hidden folder /home/.encryptfs/$USER and mounted to your actual home folder's location using the ecryptfs driver when you log in.

Most likely, then, what is happening is that when you log out, it fails to automatically unmount that directory, so the files are still accessible. This could be caused by...

• a bad config (perhaps it was supposed to be configured to unmount on logout but wasn't)
• unexpected logout type (sometimes these solutions work for the DM login/out but don't work well otherwise)
• if the unmounting is handled by a logout script (not necessarily the case), something preceding the unmount command could fail and cause the script to exit early.

One thing that can help you check this would be to run sudo mount | grep home before login, after login, and after logout to see if anything involving home is being mounted. You could also look in /etc/fstab for relevant entries. Finally, there is some config in /home/.ecryptfs/$USER/.ecryptfs/ with pertinent settings to automounting/unmounting.

Useful information about ecryptfs can be found in this answer and in the ever-helpful ArchWiki.

Edit /etc/systemd/logind.conf and set KillUserProcesses=yes

Note that this breaks background programs, screen, tmux, and similar...

This question here goes into it in more detail. I find defining a new systemd service unnecessary (or more accurately, not the desired behavior, as it's invoked as a shutdown hook, not when the user session terminates).

https://unix.stackexchange.com/questions/251902/ecryptfs-auto-umount-does-not-work

I do it with a script in rclocal

#!/bin/sh
#

while true; do
    if [ ! -d /run/user/1000 ]; then
        if [ -f /home/momo/.mounted ]; then
            umount /home/harry
        fi      
    fi

    if [ ! -d /run/user/1001 ]; then
        if [ -f /home/vm/.mounted ]; then
            umount /home/maud
        fi
    fi

    sleep 10
done
exit 0

If you do not need access from cron or at jobs (non-interactive tasks) to ANY home directories then you just need to comment out the line

session  optional        pam_ecryptfs.so unwrap

in /etc/pam.d/common-session-noninteractive.

This will cause all encrypted home directories to be unmounted when the user logs out.