10

I somehow managed to break auto-mounting for my encrypted home directory.

Every time I login via SSH, I see this:

valorin@joshua:~$ ls -la
total 44
dr-x------ 3 valorin valorin  4096 2012-03-17 17:10 .
drwxr-xr-x 7 root    root     4096 2012-03-17 11:45 ..
lrwxrwxrwx 1 valorin valorin    56 2012-03-08 20:37 Access-Your-Private-Data.desktop -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop
-rw------- 1 valorin valorin   917 2012-03-17 19:24 .bash_history
drwx------ 3 valorin valorin  4096 2012-03-16 17:58 .cache
lrwxrwxrwx 1 valorin valorin    33 2012-03-08 20:37 .ecryptfs -> /home/.ecryptfs/valorin/.ecryptfs
-rw-r--r-- 1 root    root    21954 2012-03-08 20:35 .face
lrwxrwxrwx 1 valorin valorin    32 2012-03-08 20:37 .Private -> /home/.ecryptfs/valorin/.Private
lrwxrwxrwx 1 valorin valorin    52 2012-03-08 20:37 README.txt -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt
-rw------- 1 root    root      703 2012-03-17 17:10 .viminfo

Any ideas what I've done, and how I can fix it?

UPDATE:

I have set up the SSH key authentication using the method here, which in hindsight is the reason for the non-working encrypted home directory.

So, my new question, how do I get it to automatically prompt for the password after I have logged in with the SSH auth key?

Stephen RC
  • 4,812

3 Answers3

29

Okay, so while it's possible to use SSH Public Key authentication to log into your system without entering a password (even if your home directory is encrypted), it's not possible to automatically mount your encrypted home directory.

To solve this, you'll need to add a line to the end of your unmounted $HOME/.profile:

ecryptfs-mount-private

This will ensure that after you've logged in using SSH Public Key authentication, you'll be prompted for your password and will mount your encrypted data. If it's already mounted, then this command should just silently succeed.

Enjoy!

Full disclosure: I'm one of the authors and maintainers of eCryptfs.

Dustin Kirkland
  • 14,608
  • 1
    Awesome, thanks, that does exactly what I want :) I had to add cd /home/$HOME into the .profile file as well, to refresh it though once it had decrypted. – Stephen RC Mar 28 '12 at 20:57
  • 1
    Just to mention that if you are using zsh it needs to be ~/.zprofile instead of ~/.profile – Timmy O'Mahony Jul 12 '16 at 19:30
  • Maybe this will help others: I had a problem where ecryptfs-mount-private appeared to do nothing; not even ask for a password. It turns out it had worked, and didn't need a password because I'd already entered it while using sudo for something else, but I needed to change the current working directory out of /home/arthur and back again before I saw my files. – Arthur Tacca Jan 26 '17 at 16:57
  • Thank you @TimmyO'Mahony! I wouldn't by choice have been using zsh but it was a brand new install, and I recall seeing that it couldn't save my .zsh history... – Auspex Feb 28 '18 at 16:59
  • It is a nice tool but the answer by d_inevitable is better for regular use since it automates the mount and allow having scripts and config that are loaded on login while kept encrypted. – ozma Feb 03 '23 at 11:12
3

Try the following:

  1. Make sure that /etc/pam.d/common-session contains this line:

     # Encrypt home
 session    optional    pam_ecryptfs.so unwrap

  2. Make sure that /etc/pam.d/common-auth contains this line:

     auth   optional    pam_ecryptfs.so unwrap

  3. Make sure that /etc/pam.d/sshd contains these lines:

     # Standard Un*x authorization.
 @include common-account

 # Standard Un*x session setup and teardown.
 @include common-session

  4. If you have changed your user's password recently, check /etc/pam.d/common-password

    If it doesn't contain this line:

     password   optional    pam_ecryptfs.so

    Then you need your old password to reconfigure ecryptfs.

    My suggestion is to change your account to your previous password using passwd and then adding the above line to /etc/pam.d/common-password and then changing the password back to the new password.

    Alternatively you can try this:

    ecryptfs-setup-private

    Make sure you enter the same password as your users password when prompted.

  5. If none of the above works, try running ecryptfs-setup-private perhaps it will fix something.

  6. If it is still not working then I am out of ideas, sorry.

d_inevitable
  • 1,902
2

By following these instructions you mentioned in your post, you specifically made it so you could SSH into your account without your home folder being mounted. If you undo what you did there and put it back to how it was before, then when you SSH in you will be forced to enter your password if your home directory isn't decrypted already. (If your home directory is already decrypted because of another session, then your SSH key will work perfectly for a passwordless connection!)

Otherwise, the alternative is to run ecryptfs-mount-private after you log in with your key to manually decrypt your home folder.

Macil
  • 131
  • Is there a way to have ecryptfs-mount-private run automatically when I login? – Stephen RC Mar 24 '12 at 10:45
  • Just updating "these instructions" broken link, as I had to track it down on the Wayback machine: https://stephen.rees-carter.net/thought/encrypted-home-directories-ssh-key-authentication

    Additional thoughts on the referenced article: instead of storing authorized_keys as /home/.ssh/%u, store authorized_keys in /home/.ssh/%u/authorized_keys where /home/.ssh/%u/ is owned by %u:%u with 700 perms, and the file is owned by %u with 600 perms.

     – Jeremy Lyons Jan 21 '18 at 17:27
  • @StephenRC create a ~/.profile that runs ecryptfs-mount-private in your unencrypted home directory. – Jeremy Lyons Jan 21 '18 at 17:33