How do I regain access to my encrypted home directory after changing my password?
On 12.04 LTS x64, I changed my user password via the User Accnts tool. After that I was unable to login again with my new password since my home directory is encrypted and the above-described bug does not allow decryption of the home directory with the new login password.
The passphrase to decrypt the home directory is saved in a folder on my encrypted home directory.
Is there any way to recover this passphrase and unlock my home directory?
Do not have separate record of the decryption passphrase. I still have a functioning Guest Account to which I have access, but I am not clear whether I can somehow gain access to the files in my encrypted user home directory while logged in as Guest and without having the decrypt passphrase. Please advise asap.
If you're using ecryptfs
(it's the standard way to encrypt home folders, so probably are) then when you changed your user password you lost automatic access to your encrypted home (as you discovered). That should not have happened with most regular ways to change your password (like passwd
), they're supposed to use PAM to update the encryption automatically (but not if an administrator changes/resets the password, or it wouldn't be secure).
ecryptfs
actually recommends that you keep a backup copy of the actual passphrase it uses (it's not your login passphrase, but it is encrypted or "wrapped" with your login passphrase) just in case something happens to the wrapped passphrase file you're referring to.
But using ecryptfs-unwrap-passphrase
you should be able to find out the actual ecryptfs passphrase.
Using ecryptfs-rewrap-passphrase
you could use your old user passphrase to "unwrap" the ecryptfs passphrase, then "re-wrap" it it with your new user passphrase. Here's a clip from it's man
page:
NAME
ecryptfs-rewrap-passphrase - unwrap an eCryptfs wrapped passphrase, re‐
wrap it with a new passphrase, and write it back to file.
SYNOPSIS
ecryptfs-rewrap-passphrase [file]
printf "%s\n%s" "old wrapping passphrase" "new wrapping passphrase" |
ecryptfs-rewrap-passphrase [file] -
But I'd make a backup copy of any files before running that on them. (ps. you don't need to use the printf...
format, it works just running ecryptfs-rewrap-passphrase [file]
if you don't mind typing the passphrases).
And you could run ecryptfs-recover-private
to just mount any ecryptfs encrypted private folders it finds, then backup/copy, etc.
See man ecryptfs
and the man
pages for all the ecryptfs-...
tools for some more info. And archlinux's wiki has some pretty good info at https://wiki.archlinux.org/index.php/ECryptfs
Here's how I solved the problem on a Linux Mint install, using a Linux Mint Live CD:
mint@mint /tmp $ sudo ecryptfs-recover-private
INFO: Searching for encrypted private directories (this might take a while)...
INFO: Found [/media/mint/632d671e-65a8-4566-b101-hab6b061b502/.ecryptfs/USERNAME/.Private].
Try to recover this directory? [Y/n]: n
mint@mint /tmp $ sudo ecryptfs-recover-private
INFO: Searching for encrypted private directories (this might take a while)...
INFO: Found [/media/mint/632d671e-65a8-4566-b101-hab6b061b502/.ecryptfs
/USERNAME/.Private].
Try to recover this directory? [Y/n]: y
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] y
INFO: Enter your LOGIN passphrase...
Passphrase:
Inserted auth tok with sig [562b3416hhc4ud6r] into the user session keyring
INFO: Success! Private data mounted at [/tmp/ecryptfs.1x34gL7R].
mint@mint /tmp $ gksu nemo [<---- NOTE THAT I HAVE OPENED TERMINAL IN THE TEMP FOLDER of the LIVE CD NOW]
Via the Nemo file browser (I believe it is Nautilus in Ubuntu) I navigated to the NEWLY PLACED folder named ecryptfs.1x34gL7R
(in the LIVE CD's TEMP FOLDER), and from there, right click on the folder, and select "Open as root".
Right away, without any further password challenges, I accessed my hitherto inaccessible Home directory.
I don't see any other way to recover data at my aptitude level.
There is a seeming alternative route using ecryptfs
that requires your user password, but it ALWAYS rejects the password that you enter - ALWAYS. Even given that your actual Mint password is correct, and the Live CD has no password for root. I wish I could remember which route I'm talking about here, but basically, it's the one that always rejects your password. Forget that.
If you cannot get anywhere with the method I've shown, then maybe you've forgotten your own login password (unlikely), or that your encryption key has become corrupted (through hard drive failure OR if you've removed gvfs - never touch gvfs - some troll on the Internet has said it's a security risk and given instructions on how to remove it, but this will completely destroy your system).
If you cannot access your encrypted drive, then you can at least copy the encrypted folder from the Live Disc tmp folder to your backup drive VIA TERMINAL (for example, cp -a /source/. /dest/
OR maybe it was cp -a ~/source/. ~/dest/
), and then take it to an expert to decrypt it, at some indefinite later date.
Now that you can see your files again, you have a new problem - you cannot actually move anything out of the browser window. However, you can at least open individual files (text, word processor, and picture files) and select to save them onto your new location (e.g. a backup drive).
Finally, I'm sorry Ubuntu and Mint programmers (yes that's me and you) etc. etc. - but Linux needs to improve to be user friendly in the case of data recovery. If the data exists, and the user full-well knows his password, then the data recovery process should be more streamlined!
P.S. remember: it's ecryptfs
NOT encryptfs
, and remember that a Live CD most likely uses a default American keyboard character set, so change the way you enter your login password accordingly, e.g. if your password uses special characters.