Encrypted home dir: Cannot login after sudo password reset

Question

I have a user, say secretuser, with an encrypted home directory. Unfortunately I forgot the password for user secretuser, because it was very secret. So I loggged on with another admin user, say masteruser, and changed the password for secretuser via graphical UI to, say, 'newpass'. When trying to login as secretuser, there was no "wrong password" or so when I use 'newpass', but I am sent back to the graphical logon screen immediately after some flash of the screen. So I logged on again as masteruser and did in a shell window:

masteruser$ su secretuser

I entered 'newpass' at the prompt and was able to log on to a shell. But still graphical login was not possible. Same effect as before. So I concluded that the graphical dialog does not do it's job completely and gave the command prompt a chance:

masteruser$ sudo passwd secretuser

Of course, I had to change to something else, say 'newpass1'. Unfortunately, the graphical login shows the same issue as before, but now, when I su'ed to secretuser, I only saw an encrypted file system.

masteruser@zhadum:~$ su secretuser
Passwort: newpass1
Signature not found in user keyring
Perhaps try the interactive 'ecryptfs-mount-private'
secretuser@zhadum:/home/masteruser$ cd /home/secretuser
secretuser@zhadum:~$ ls
Access-Your-Private-Data.desktop  README.txt
secretuser@zhadum:~$

Maybe I took security a bit too far, because now I am completely stuck. Seemingly the password is changed, but it does not work for the graphical login and also not for the decryption of the user's directory. Trying ecryptfs-mount-private as suggested did not work either, because neither 'newpass' nor 'newpass1' were accepted. Dropping and recreating the user would lose me 3 weeks of work because the most recent backup, shame on me, is not too current.

Do I have a chance to get access again?

Update: Thanks to the link given by @mxdsp I tried:

masteruser@zhadum:~$ sudo ecryptfs-recover-private
[sudo] password for masteruser: ---- 
INFO: Searching for encrypted private directories (this might take a while)...
INFO: Found [/home/.ecryptfs/secretuser/.Private].
Try to recover this directory? [Y/n]: 
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] Y 
INFO: Enter your LOGIN passphrase...
Passphrase: newpass1
Error: Unwrapping passphrase and inserting into the user session keyring failed [-5]
Info: Check the system log for more information from libecryptfs
masteruser@zhadum:~$ cd /var/log
masteruser@zhadum:/var/log$ tail syslog
Oct  9 06:05:19 zhadum ecryptfs-insert-wrapped-passphrase-into-keyring: Incorrect wrapping key for file [/home/.ecryptfs/secretuser/.Private/../.ecryptfs/wrapped-passphrase]
Oct  9 06:05:19 zhadum ecryptfs-insert-wrapped-passphrase-into-keyring: Error attempting to unwrap passphrase from file [/home/.ecryptfs/secretuser/.Private/../.ecryptfs/wrapped-passphrase]; rc = [-5]
Oct  9 06:05:21 zhadum wpa_supplicant[1625]: nl80211: send_and_recv->nl_recvmsgs failed: -33

and also:

masteruser@zhadum:/var/log$ sudo ecryptfs-recover-private
INFO: Searching for encrypted private directories (this might take a while)...
INFO: Found [/home/.ecryptfs/secretuser/.Private].
Try to recover this directory? [Y/n]: Y
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] n
INFO: To recover this directory, you MUST have your original MOUNT passphrase.
INFO: When you first setup your encrypted private directory, you were told to record
INFO: your MOUNT passphrase.
INFO: It should be 32 characters long, consisting of [0-9] and [a-f].
Enter your MOUNT passphrase: byebye secretuser...

I guess I am done now. I now go grieving over my dumbassery and then ask another question how to truly remove the 32 GB of secretuser from my harddisk - to make sure not to leave even more mess...

mxdsp · Answer 1 · 2015-10-08T09:57:09.303

4

What you need is the passphrase you used when you created the encrypted user. That passphrase is not your password ! Once you have found it, assuming you kept it, run :

ecryptfs-unwrap-passphrase

see more here

edited Oct 08 '15 at 09:57

answered Oct 08 '15 at 09:38

mxdsp

3,988

score 2 · Answer 2 · edited Jun 12 '20 at 14:37

You do need either

the last login passphrase (the one just before you forced a new login passphrase with sudo)

or
the original mount passphrase created when the encryption was set up.

The wrapped-passphrase file holds the mount passphrase for your encrypted home, and is encrypted with your login passphrase. By forcing a new passphrase with sudo, without having the old one or being logged in, your wrapped-passphrase file was not decrypted and re-encrypted with the new login passphrase. This is by design to provide real security that any sudo-armed user can't bypass.

When you set up your encrypted home with the eCryptFS tool ecryptfs-migrate-home it asks you to make a backup copy of the actual mount passphrase, just in case a problem like this comes up (you forget your login passphrase or the wrapped-passphrase file is lost or damaged.

Having just the login passphrase from when you first created the user probably won't be useful, unless you also have a copy of the wrapped-passphrase file from the same time, using the same login passphrase.

score 0 · Answer 3 · edited Apr 13 '17 at 12:24

Self-answer just to share my insights from this incident:

With an encrypted home directory, don't forget your password and your passphrase. You will be lost even when you have other admin users on that machine.

This answer to a similar question might provide helpful background info for others. It also explains why I can delete secureuser and will not encrypt a home directory again.

Together with the experience from this gem I really think that encrypting the home partition (and only the home partition) has the best security-to-risk ratio. At least all the other options have proven to be more risk than fun...

Encrypted home dir: Cannot login after sudo password reset

3 Answers3

Linked