I have been playing around with ecryptfs to manually mount/unmount a private store via ecryptfs-mount-private and ecryptfs-umount-private. When I'm logged in as a user with ecryptfs configured (ie: username is bob), it asks for my login password for my Linux user account in order to mount the private store. If I change my password while I'm logged into the system via the passwd command line utility, ecryptfs requires my new password in order to mount the private store.
If I log in as the root user (ie: sysadmin) and change the password for the bob account via sudo passwd bob, and then log into Bob's account, ecryptfs-mount-private will fail when I use the new password I set while logged in as root.
My understanding is that ecryptfs uses a hash of the user password to generate another hash/key that's used to "wrap" the encrypted files in the private store. But if that's the case, why does it "just work" when I change the password when logged in as the actual user, but not when I reset the password as root?
My best guess so far is that maybe some setting is passed to the passwd utility which causes it to run a secondary script after completion. Does anyone know for sure how this works with ecryptfs?
Thanks!
When a user changes their own password, PAM (here or here) gets called to re-wrap the eCryptfs passphrase with the new user passphrase, so you can decrypt your home the next time you log in.
Somehow, I don't know the exact line-by-line details, but I think I found a suspect line in /etc/pam.d/common-password:
password optional pam_ecryptfs.so
Unwrapping the eCryptfs passphrase should fail if root tries, since it doesn't have your user login passphrase. eCryptfs also explicitly tells you to backup the actual eCryptfs passphrase when it creates an encrypted home (maybe any encrypted private folder) since if something happens to the eCryptfs wrapped passphrase file, or you forget the login passphrase, the files will be effectively lost.
If root could change your eCryptfs passphrase whenever they wanted by changing your login passphrase, you would have no real security beyond root.