LinuxCommandLibrary
GitHubF-DroidGoogle Play Store

pam_ecryptfs

handles ECryptfs encrypted home directories

TLDR

Auto-mount encrypted home
$ auth optional pam_ecryptfs.so unwrap
copy
Session setup
$ session optional pam_ecryptfs.so unwrap
copy
Password sync
$ password optional pam_ecryptfs.so
copy

SYNOPSIS

pam_ecryptfs.so [options]

DESCRIPTION

pam_ecryptfs is the PAM glue that makes per-user eCryptfs encrypted home directories transparent at login: when used in the `auth` and `session` stacks it inserts the user's mount passphrase into the kernel keyring (typically by unwrapping `~/.ecryptfs/wrapped-passphrase` with the login password) and then invokes the helper that mounts `~/.Private` (or the entire home) on top of `~`. On logout the session step unmounts and clears the keys.It is the kernel-side counterpart of the ecryptfs-utils suite (`ecryptfs-setup-private`, `ecryptfs-mount-private`).

PARAMETERS

unwrap

Use the user's login passphrase to decrypt the wrapped mount passphrase stored in `~/.ecryptfs/wrapped-passphrase` and add it to the kernel keyring.

CAVEATS

Requires eCryptfs to be set up beforehand with ecryptfs-setup-private. The wrapped-passphrase file is only re-encrypted when the login password changes if the `password` PAM stack also calls `pam_ecryptfs.so` — otherwise password changes silently desynchronize and the user can no longer mount the home directory. eCryptfs is no longer the default in Ubuntu since 18.04 in favor of full-disk encryption (LUKS).

HISTORY

pam_ecryptfs enables automatic encrypted home directory mounting on login.

SEE ALSO

Copied to clipboard
Kai