Private directory mounted without passphrase?

From the EncryptedPrivateDirectory wiki:

We can stop ecryptfs from unlocking the Private folder on startup, by removing the empty file auto-mount which is located in ~/.ecryptfs/, where you also can remove the auto-umount file, if you would like ecryptsfs to stop unmounting the private folder upon shutdown and logout.

UPDATE: To fix the issue of ~/Private being mountable without using a password, follow the instructions in this Ubuntu Forums post:

OK Folks, here is the true fix.

I was reading an article on ecryptfs (http://ecryptfs.sourceforge.net/ecryptfs-pam-doc.txt) and found that PAM is involved and thus started looking in /etc/pam.d/ and found 2 files that need to be modified:

/etc/pam.d/common-auth
/etc/pam.d/common-session

Do the following as root, but make a backup copy first in a directory OUT OF this directory like ~/ or it will possibly run the backup which is unmodified.

In /etc/pam.d/common-session look for a line that says:

auth optional pam_ecryptfs.so unwrap
and comment it out like:
#auth optional pam_ecryptfs.so unwrap

In /etc/pam.d/common-auth look for a line that says:

session optional pam_ecryptfs.so unwrap
and comment it out like
#session optional pam_ecryptfs.so unwrap

Both files must be modified. The common-session file is what cause the actually mounting and the common-auth unwraps the passphrase.

If just common-session is commented out (as I tried first), all one has to do is type ecrypt-mount-private and it will mount without the login passphrase. This is NOT GOOD. So the common-auth must be modified to prevent the loading of the unwrapped passphrase into the kernel.

The caveat to this is that THIS AFFECTS ALL USERS. I have just discovered the above by rooting around myself and it satisfies my needs. However, it will make it more difficult on a multiuser system for novices as the Private will not be automatically mounted. There may be a way to prevent this on a user-level (not system level) but I don't know how to do that.

Hope this helps someone in the future.

Yours, Narnie

You will need to restart your computer after you modify those files.


The absolutely trivial-but-effective way to solve the question as asked is to simple remove ~/.ecryptfs/wrapped-passphrase (or rename it).

This will totally prevent pam_ecryptfs from loading any keys into the keyring.