What is the mount passphrase used for and how to setup ecryptfs to ask for it ?

Asked by syldes on 2009-12-17

Hello,

I ran ecryptfs-setup-private to configure a $HOME/Private folder, and the software asked me for a mount passphrase, so I entered one.
Now when I'm logging in and out, I never need to type this passphrase to have access to my Private folder.

So I'm asking : what's the point with this passphrase if it doesn't need to be entered by the user and it is wrap recorded under ~/.ecryptfs/wrapped-passphrase ?
It seems it's just a way to add more security/entropy to the encryption scheme, right ?

Nevertheless, is there a way to have ecryptfs-mount-private asking for the passphrase [instead of | in conjunction with] the login password ?
I'd like to configure ecryptfs to have this kind of behavior to prevent some people having access to my login password so they won't be able to access my encrypted folder without my mount passphrase.

Question information

Language:
English Edit question
Status:
Solved
For:
eCryptfs Edit question
Assignee:
No assignee Edit question
Solved by:
Philippe
Solved:
2009-12-19
Last query:
2009-12-19
Last reply:
2009-12-18
Best Philippe (philippe-rast) said : #1

See manpage to ecryptfs-setup-private

Add option
--noautomount
              Setup this user such that the encrypted private directory is
              not automatically mounted on login

syldes (syldes) said : #2

Thanks, I needed also the --wrapping switch

syldes (syldes) said : #3

Thanks Philippe, that solved my question.

Ted_Smith (tedsmith28) said : #4

To clarify, the mount passphrase you provided is encrypted using the AES-128 encryption algorithm, and then stored in mount-passphrase. The 'key' to unlocking it is your login password, that you provide when you login, and every time you do so that mount passphrase is automatically decrypted for you and your Private dir mounted.

If anyone ever tries to access your data when you're not logged in though (e.g. someone steals your PC) your data will always be encrypted unless they can work out your login password.

In addition, your mount passphrase is used to generate the encryption keys used for all of your files.

In summary, whilst it might not be obvious as to why you had to have a mount passphrase, it is an essential part of the eCryptfs system.