Just wondering if I use ecryptfs to encrypt my /home folder
sudo ecryptfs-migrate-home -u username
Can another user with root privilege change my password, then login my account using the new password see my encrypted /home?
If I change my own password, I suppose I can still access my encrypted /home , how is it different from root changing my password and login as me?
Short answer: Yes and no.
Can root see my encrypted /home folder?
Yes. As long as you are logged in, root as well as any sudo user can see your decrypted files. Also, when you wake up from sleep, your /home
will still be decrypted.
Also there is a bug in ecryptfs
that prevents unmounting the decrypted /home
folder at logout. You should instead shutdown or restart the machine or manually unmount the folder from another sudo/root user. See this question for more information.
Can another user with root privilege change my password, then login my account using the new password see my encrypted /home?
No. Your /home
folder is not encrypted with your password, but with a passphrase which is encrypted with your password. Another user changing your password will not affect the passphrase.
At the first login after an administrative password change, you have to mount your encrypted home manually and rewrap the passphrase. For these tasks you need your old and the new password
ecryptfs-mount-private
ecryptfs-rewrap-passphrase ~/.ecryptfs/wrapped-passphrase
When you change your password, the home directory passphrase is re-encrypted with your new password, so you should have continued access to your files with the new password. This is handled via PAM (Pluggable Authentication Modules) (via).
See this related question.
No comments:
Post a Comment