Monday, December 14, 2015

permissions - Can root see my encrypted /home folder?


Just wondering if I use ecryptfs to encrypt my /home folder


sudo ecryptfs-migrate-home -u username

Can another user with root privilege change my password, then login my account using the new password see my encrypted /home?


If I change my own password, I suppose I can still access my encrypted /home , how is it different from root changing my password and login as me?



Short answer: Yes and no.





Can root see my encrypted /home folder?



Yes. As long as you are logged in, root as well as any sudo user can see your decrypted files. Also, when you wake up from sleep, your /home will still be decrypted.


Also there is a bug in ecryptfs that prevents unmounting the decrypted /home folder at logout. You should instead shutdown or restart the machine or manually unmount the folder from another sudo/root user. See this question for more information.



Can another user with root privilege change my password, then login my account using the new password see my encrypted /home?



No. Your /home folder is not encrypted with your password, but with a passphrase which is encrypted with your password. Another user changing your password will not affect the passphrase.


At the first login after an administrative password change, you have to mount your encrypted home manually and rewrap the passphrase. For these tasks you need your old and the new password


ecryptfs-mount-private
ecryptfs-rewrap-passphrase ~/.ecryptfs/wrapped-passphrase

When you change your password, the home directory passphrase is re-encrypted with your new password, so you should have continued access to your files with the new password. This is handled via PAM (Pluggable Authentication Modules) (via).




See this related question.


No comments:

Post a Comment

11.10 - Can't boot from USB after installing Ubuntu

I bought a Samsung series 5 notebook and a very strange thing happened: I installed Ubuntu 11.10 from a usb pen drive but when I restarted (...