ecryptfs-rewrap-passphrase

ecryptfs-rewrap-passphrase

The ecryptfs-rewrap-passphrase command is used to rewrap an existing eCryptfs passphrase with a new KEK (Key Encryption Key). This is crucial when changing your login password, or when the underlying KEK changes due to system updates or security policies. This utility ensures that your encrypted files remain accessible after such changes. Without rewrapping, the old KEK may no longer be available, rendering the passphrase unreadable and resulting in data loss.

The rewrapping process involves decrypting the existing passphrase using the old KEK and then re-encrypting it using the new KEK. The command handles the necessary cryptographic operations, prompting for old and new passwords, and updating the user's ecryptfs metadata.

It is essential to run this utility after any event that modifies the KEK used to encrypt your ecryptfs passphrase, or you risk losing access to your encrypted data. This ensures your data remains protected. The rewrapping process must be done successfully to avoid any data loss.

Failing to rewrap the passphrase after changing the login password or system KEK can lead to permanent data loss. Ensure the process completes successfully before assuming access is restored. It is recommended to have a backup of important data before proceeding. This command must be executed under the user whose passphrase needs to be rewrapped.
Running this command without the proper permissions will fail. Ensure you have the appropriate privileges to access and modify the user's ecryptfs metadata.

Upon execution, ecryptfs-rewrap-passphrase will prompt you for the old and new passwords. Enter the current login password when prompted for the "old" passphrase. Enter the new login password when prompted for the "new" passphrase. The utility then performs the rewrapping operation, updating the ecryptfs metadata with the newly encrypted passphrase. After a successful rewrapping, the encrypted files will be accessible using the new login password.

Always ensure to run this command as the user whose passphrase needs rewrapping.
Keep a backup of your data.
Make sure you enter the correct old password, or else rewrap process will fail.

The ecryptfs-rewrap-passphrase command was introduced as part of the eCryptfs project to provide a mechanism for users to update their passphrase encryption keys. It became essential for maintaining access to encrypted data after system or password changes.

ecryptfs-setup-private(1), ecryptfsd(8), pam_ecryptfs(8)