ecryptfs-unwrap-passphrase

ecryptfs-unwrap-passphrase [options] [WRAPPED-PASSPHRASE-FILE]

-f, --force-unwrap-ignore-checksum
    Ignore checksum verification failures during unwrap.

-h, --help
    Display usage summary and exit.

-v, --version
    Output version information and exit.

The ecryptfs-unwrap-passphrase command is a utility for the eCryptfs stacked filesystem on Linux. It recovers the mount passphrase from a "wrapped" passphrase file or blob, using the user's login passphrase as the key.

In eCryptfs setups (e.g., encrypted home directories via ecryptfs-migrate-home or ecryptfs-setup-private), the mount passphrase is randomly generated and "wrapped" with the login passphrase for secure storage in ~/.ecryptfs/wrapped-passphrase. This command unwraps it interactively: provide the wrapped blob (via stdin or file arg), enter login passphrase when prompted, and it outputs the unwrapped mount passphrase.

Common use:
cat ~/.ecryptfs/wrapped-passphrase | ecryptfs-unwrap-passphrase

Output is used with ecryptfs-mount-private or manual mounts. Ensures access without storing plaintext passphrases. eCryptfs is legacy; modern alternatives include fscrypt or LUKS.

Relies on login passphrase strength; weak passphrases risk exposure. eCryptfs deprecated in many distros (e.g., Ubuntu 20.04+ defaults to fscrypt). Wrapped files must be protected (perms 0600). Checksum ignore (-f) risks corrupted output.

ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
Outputs: Passthrough: Salted__<base64-mount-pass>
Pipe to ecryptfs-mount-private.

Never store unwrapped passphrase. Use only in trusted environments. Supports PBKDF2 for key derivation.

Developed 2006 by Canonical/IBM for Ubuntu encrypted home. Kernel module since 2.6.19 (2007). Peaked in Ubuntu 8.04-18.04; declined post-2019 with filesystem evolution.

ecryptfs-wrap-passphrase(1), ecryptfs-mount-private(1), ecryptfs-add-passphrase(1), mount.ecryptfs(8)