ecryptfs-add-passphrase

ecryptfs-add-passphrase [--fnek] [--display] [--verbose]

--fnek
    Store the passphrase in kernel keyring. This is the default if the option isn't used.

--display
    Display the wrapped passphrase on stdout. Should be used only when combined with piping the output to another command or file. Otherwise exposes the passphrase!

--verbose
    Enable verbose output.

The `ecryptfs-add-passphrase` command is used to add a passphrase to an existing ecryptfs encrypted home directory or mount point. This allows you to manage multiple passphrases for the same encrypted data. This is useful for scenarios where you might want to have different passphrases for different levels of access or security, or if you need to rotate passphrases without completely re-encrypting the data. The command prompts you for the existing user's login passphrase and then asks you to enter the new passphrase twice for confirmation.

Importantly, using multiple passphrases might expose your ecryptfs directory to security threats. Please consider the trade offs before proceeding.

Storing passphrases in the kernel keyring might have implications for security, especially regarding process isolation and potential vulnerabilities in the kernel keyring implementation.

Displaying the wrapped passphrase to stdout can expose it to the console history or other users if not handled securely (e.g., piping to a secure storage mechanism).

It's essential to understand the security implications of adding multiple passphrases. Compromising one passphrase compromises the entire encrypted filesystem. Additionally, the security of the kernel keyring itself is a crucial factor. Regularly reviewing and updating your security practices is highly recommended.

To add a new passphrase: `ecryptfs-add-passphrase`. The command will prompt you for your current login passphrase and then for the new passphrase.

The `ecryptfs-add-passphrase` command was developed as part of the eCryptfs project, which aimed to provide an easy-to-use cryptographic filesystem for Linux. It evolved alongside other ecryptfs tools to allow users to manage passphrases and access encrypted data using multiple authentication methods.

ecryptfs-setup-private(1), ecryptfsd(8), mount.ecryptfs(8), pam_ecryptfs(8)