eCryptfs

How to get pam_ecryptfs.so to NOT use the login password?

Asked by Jakob Unterwurzacher

I want to use a strong password for the encryption. But as I have to type the login password quite often (sudo, screensaver), I want to make that one easy to type. At the moment I use EncFS with pam_encfs.so that asks explicitly for the encryption password.

How to get pam_ecryptfs.so to do that?

An idea was to insert a module "pam_askpass.so" in the pam stack that just asks for a password and stores it in PAM_AUTHTOK. Problem is, something like "pam_askpass.so" does not seem to exists. Or does it?

Question information

Language:
English Edit question
Status:
Answered
For:
eCryptfs Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Launchpad Janitor (janitor) said : 		#1

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Jakob Unterwurzacher (jakobunt) said : 		#2

Reopen..

Revision history for this message
Launchpad Janitor (janitor) said : 		#3

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
Jakob Unterwurzacher (jakobunt) said : 		#4

Reopen...

Revision history for this message
Serge Hallyn (serge-hallyn) said : 		#5

I haven't gotten to it myself yet, but I would recommend trying pam_mount.so
in place of pam_ecryptfs.so in your case. I will be doing this myself when
I get a chance, bc I only encrypt subdirectories of my home folder, and with
separate passphrases. I'm hoping to get to testing this next week.

If you try it before then, please do post your results and anything you've
learned.

Revision history for this message
Jakob Unterwurzacher (jakobunt) said : 		#6

Patching pam_ecryptfs to support this turned out to be quite easy, patch is on pastebin, description is copied for convenience below. I tested it and everything works, can send you a binary for Lucid if you want.

-------------- See http://pastebin.com/6yPsdwSX -------------------------
pam_ecryptfs: Respect ~/.ecryptfs/wrapping-independent

Quoting man ecryptfs-mount-private:
> ~/.ecryptfs/wrapping-independent - this file exists if the
> wrapping passphrase is independent from login passphrase

This patch makes pam_ecryptfs check if this file exists and ask the
user for the wrapping passphrase if it does.

Can you help with this problem?

Provide an answer of your own, or ask Jakob Unterwurzacher for more information if necessary.

To post a message you must log in.