Ubuntu – How to regain access to the encrypted home directory after changing the password


On 12.04 LTS x64, I changed my user password via the User Accnts tool. After that I was unable to login again with my new password since my home directory is encrypted and the above-described bug does not allow decryption of the home directory with the new login password.
The passphrase to decrypt the home directory is saved in a folder on my encrypted home directory.

Is there any way to recover this passphrase and unlock my home directory?
Do not have separate record of the decryption passphrase. I still have a functioning Guest Account to which I have access, but I am not clear whether I can somehow gain access to the files in my encrypted user home directory while logged in as Guest and without having the decrypt passphrase. Please advise asap.

Best Answer

  • If you're using ecryptfs (it's the standard way to encrypt home folders, so probably are) then when you changed your user password you lost automatic access to your encrypted home (as you discovered). That should not have happened with most regular ways to change your password (like passwd), they're supposed to use PAM to update the encryption automatically (but not if an administrator changes/resets the password, or it wouldn't be secure).

    ecryptfs actually recommends that you keep a backup copy of the actual passphrase it uses (it's not your login passphrase, but it is encrypted or "wrapped" with your login passphrase) just in case something happens to the wrapped passphrase file you're referring to.

    But using ecryptfs-unwrap-passphrase you should be able to find out the actual ecryptfs passphrase.

    Using ecryptfs-rewrap-passphrase you could use your old user passphrase to "unwrap" the ecryptfs passphrase, then "re-wrap" it it with your new user passphrase. Here's a clip from it's man page:

       ecryptfs-rewrap-passphrase - unwrap an eCryptfs wrapped passphrase, re‐
       wrap it with a new passphrase, and write it back to file.
       ecryptfs-rewrap-passphrase [file]
       printf "%s\n%s" "old wrapping passphrase" "new wrapping  passphrase"  |
       ecryptfs-rewrap-passphrase [file] -

    But I'd make a backup copy of any files before running that on them. (ps. you don't need to use the printf... format, it works just running ecryptfs-rewrap-passphrase [file] if you don't mind typing the passphrases).

    And you could run ecryptfs-recover-private to just mount any ecryptfs encrypted private folders it finds, then backup/copy, etc.

    See man ecryptfs and the man pages for all the ecryptfs-... tools for some more info. And archlinux's wiki has some pretty good info at https://wiki.archlinux.org/index.php/ECryptfs