Private directory mounted without passphrase?

ecryptfs

From the EncryptedPrivateDirectory wiki:

We can stop ecryptfs from unlocking the Private folder on startup, by removing the empty file auto-mount which is located in ~/.ecryptfs/, where you also can remove the auto-umount file, if you would like ecryptsfs to stop unmounting the private folder upon shutdown and logout.

UPDATE: To fix the issue of ~/Private being mountable without using a password, follow the instructions in this Ubuntu Forums post:

OK Folks, here is the true fix.

I was reading an article on ecryptfs (http://ecryptfs.sourceforge.net/ecryptfs-pam-doc.txt) and found that PAM is involved and thus started looking in /etc/pam.d/ and found 2 files that need to be modified:

/etc/pam.d/common-auth
/etc/pam.d/common-session

Do the following as root, but make a backup copy first in a directory OUT OF this directory like ~/ or it will possibly run the backup which is unmodified.

In /etc/pam.d/common-session look for a line that says:

auth optional pam_ecryptfs.so unwrap
and comment it out like:
#auth optional pam_ecryptfs.so unwrap

In /etc/pam.d/common-auth look for a line that says:

session optional pam_ecryptfs.so unwrap
and comment it out like
#session optional pam_ecryptfs.so unwrap

Both files must be modified. The common-session file is what cause the actually mounting and the common-auth unwraps the passphrase.

If just common-session is commented out (as I tried first), all one has to do is type ecrypt-mount-private and it will mount without the login passphrase. This is NOT GOOD. So the common-auth must be modified to prevent the loading of the unwrapped passphrase into the kernel.

The caveat to this is that THIS AFFECTS ALL USERS. I have just discovered the above by rooting around myself and it satisfies my needs. However, it will make it more difficult on a multiuser system for novices as the Private will not be automatically mounted. There may be a way to prevent this on a user-level (not system level) but I don't know how to do that.

Hope this helps someone in the future.

Yours, Narnie

You will need to restart your computer after you modify those files.


The absolutely trivial-but-effective way to solve the question as asked is to simple remove ~/.ecryptfs/wrapped-passphrase (or rename it).

This will totally prevent pam_ecryptfs from loading any keys into the keyring.

Related

Does the Wacom Bamboo Pen & Touch work out of the box?
Are there alternatives after the official support time stops?
How do I configure my AWS instance to serve a remote desktop so I can use Windows terminal services to access it?
How do I delete events in shotwell?
From Ubuntu, "Back to my Mac"
Can mencoder use multiple cores, or is there another aud-vid encoder which can?
Internet category not returning any results in Synapse
How to retrieve all Variables from a Twig Template?
How to view and/or edit a .mdb Jet MS Access database file?
How often are packages updated in Lucid?
Flash is not working in Chrome (Crossover Linux is installed)
Upstart, one job definition to start and one to stop