Change the passphrase of an ecryptfs directory

I want to have an encrypted directory (not homedir!) let's say /testdata.

I have used the following command and parameters to encrypt it:

root@pc:~# mount -t ecryptfs /testdata/ /testdata/
Passphrase: 
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 
Enable plaintext passthrough (y/n) [n]: 
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [b9fc92f854a4c85b]: 
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=b9fc92f854a4c85b
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=b9fc92f854a4c85b
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key 
before. This could mean that you have typed your 
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [b9fc92f854a4c85b] to
[/root/.ecryptfs/sig-cache.txt] 
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs

This command creates this file:

root@pc:~# cat .ecryptfs/sig-cache.txt 
b9fc92f854a4c85b

Now I want to change the passphrase I used before. I found the ecryptfs-rewrap-passphrase command but I am not sure if I am on the right path:

root@pc:~# ecryptfs-rewrap-passphrase .ecryptfs/sig-cache.txt 
Old wrapping passphrase: 
New wrapping passphrase: 
New wrapping passphrase (again): 
Error: Unwrapping passphrase failed [-5]
Info: Check the system log for more information from libecryptfs

/var/log/syslog says:

Jul 13 13:16:19 pc ecryptfs-rewrap-passphrase: ecryptfs_unwrap_passphrase: PK11_CipherOp() error; SECFailure = [-1]; PORT_GetError() = [-8188]

I have a newbie status in regards to ecryptfs and I would appreciate some enlightenment here.

Solution 1:

I see you are trying to push the password in a file that is having other meaning.

ecryptfs-rewrap-passphrase /home/.ecryptfs/$USER/.ecryptfs/wrapped-passphrase 

or most certainly… but better search manually for the wrapped-passphrase in your .ecryptfs hidden directory:

ecryptfs-rewrap-passphrase /home/$USER/.ecryptfs/wrapped-passphrase

I think this is the right command for changing the password, where $USER is your user

P. S.: Better not to be logged in and with your folder decrypted.

Solution 2:

There is no way to change the passphrase on the fly as ecryptfs encrypts each file with that passphrase individually and all files need to be rewritten with the new passphrase.

So all you can do is create a new directory, mount it with the new passphrase and copy all the files over there.

The exception to this is when you used Ubuntu to create an ecrypted /home/ on installation. When Ubuntu is setup that way it is not using your passphrase for file encryption directly, but it instead generates a random passphrase that is saved to ~/.ecryptfs/wrapped-passphrase. That file is then encrypted with your personal passphrase. Your personal phassphrase can thus change, file the file encryption passphrase stays the same. It might be possible to recreate that behaviour when mounting stuff manually, but by default that isn't the case and your personal passphrase is used for file encryption directly.