ecryptfs-rewrap-passphrase

ecryptfs-rewrap-passphrase [options] [MOUNTPOINT]

-h, --help
    Print this help message and exit

--newpass
    Prompt interactively for new passphrase instead of login password

--newphrasedesc DESC
    Specify description string for the new passphrase

--user USER
    Rewrap passphrase for specified USER (default: current user)

The ecryptfs-rewrap-passphrase command updates the user's wrapped-passphrase file located at ~/.ecryptfs/wrapped-passphrase. This file stores the eCryptfs mount passphrase encrypted using the user's login password, enabling automatic decryption on login.

When a user changes their login password (e.g., via passwd), the wrapped-passphrase becomes invalid for future mounts. Running this command re-encrypts (rewraps) it with the new login password.

It first prompts for the old login password to decrypt the existing wrapped-passphrase, derives the key, then re-encrypts using the current login password (or a custom one with --newpass). If a MOUNTPOINT is specified, it verifies the path is an eCryptfs mount owned by the user.

Typically used after password changes in setups with encrypted home directories (e.g., Ubuntu's ecryptfs-home). Requires ecryptfs-utils package. Run as root with --user for other users. Ensures seamless PAM integration via pam_ecryptfs.

Requires old password knowledge; fails if wrapped-passphrase missing or corrupted. Must run post-password change before next login. Root privileges needed for other users. Not for custom-wrapped passphrases without login key.

After password change:
ecryptfs-rewrap-passphrase
Enter old password, then new is auto-detected.

For another user:
sudo ecryptfs-rewrap-passphrase --user otheruser /home/otheruser