ecryptfs-rewrap-passphrase

ecryptfs-rewrap-passphrase

The ecryptfs-rewrap-passphrase command is a utility within the eCryptfs (Enterprise Cryptographic Filesystem) framework, designed for Linux systems. eCryptfs provides a secure, encrypted filesystem, often used to protect user home directories.

At its core, eCryptfs uses a 'mount passphrase' which is a key component for decrypting the master file encryption key and allowing access to your encrypted data. This command's primary function is to change this mount passphrase without requiring a full decryption and re-encryption of all your files. Instead, it efficiently re-encrypts only the stored passphrase (often found in ~/.ecryptfs/wrapped-passphrase) with a new one.

The command operates interactively. It will prompt you first for your old eCryptfs mount passphrase, which is necessary to decrypt the existing wrapped passphrase. Once successfully provided, it then prompts for your new desired passphrase, asking for it to be entered twice for confirmation. This process ensures that your eCryptfs volume can continue to be mounted and decrypted using the updated passphrase.

A common and critical use case for ecryptfs-rewrap-passphrase arises when you change your system login password, especially if your eCryptfs setup (like an encrypted home directory in Ubuntu) links the eCryptfs mount passphrase to your system password via PAM. Failing to run this command after a system password change would prevent you from decrypting and mounting your encrypted home directory on subsequent logins, as the stored eCryptfs passphrase would no longer match your new login credentials.

Requires knowledge of the old eCryptfs mount passphrase to proceed.

Crucial for encrypted home directories: If your system login password changes, and eCryptfs is integrated with PAM (common in Ubuntu), you must run this command to avoid losing access to your encrypted home directory upon next login.

This command only rewraps the mount passphrase; it does not change the underlying encryption keys used for individual files, nor does it re-encrypt file data.

Ensure you are in a secure environment when running this command, as it handles sensitive passphrase information.

The command operates interactively, prompting the user first for their old eCryptfs mount passphrase and then for their new desired passphrase. It typically asks for the new passphrase to be entered twice for confirmation.

When using eCryptfs for an encrypted home directory (e.g., in Ubuntu), the eCryptfs mount passphrase is often derived from or linked to your system login password via PAM. If you change your system login password, you must run ecryptfs-rewrap-passphrase to update the stored eCryptfs passphrase, otherwise, you will be unable to decrypt and mount your home directory on subsequent logins.

Part of the ecryptfs-utils package, ecryptfs-rewrap-passphrase has been a fundamental utility since the early days of eCryptfs. Its importance grew significantly with distributions like Ubuntu adopting eCryptfs for default home directory encryption, making this command vital for users needing to maintain their passphrase security post-system password changes. It reflects the ongoing commitment to robust data encryption solutions in Linux.

ecryptfs-mount-private(1), ecryptfs-setup-private(1), ecryptfs(7)