pam_ecryptfs
handles ECryptfs encrypted home directories
TLDR
SYNOPSIS
pam_ecryptfs.so [options]
DESCRIPTION
pam_ecryptfs is the PAM glue that makes per-user eCryptfs encrypted home directories transparent at login: when used in the `auth` and `session` stacks it inserts the user's mount passphrase into the kernel keyring (typically by unwrapping `~/.ecryptfs/wrapped-passphrase` with the login password) and then invokes the helper that mounts `~/.Private` (or the entire home) on top of `~`. On logout the session step unmounts and clears the keys.It is the kernel-side counterpart of the ecryptfs-utils suite (`ecryptfs-setup-private`, `ecryptfs-mount-private`).
PARAMETERS
unwrap
Use the user's login passphrase to decrypt the wrapped mount passphrase stored in `~/.ecryptfs/wrapped-passphrase` and add it to the kernel keyring.
CAVEATS
Requires eCryptfs to be set up beforehand with ecryptfs-setup-private. The wrapped-passphrase file is only re-encrypted when the login password changes if the `password` PAM stack also calls `pam_ecryptfs.so` — otherwise password changes silently desynchronize and the user can no longer mount the home directory. eCryptfs is no longer the default in Ubuntu since 18.04 in favor of full-disk encryption (LUKS).
HISTORY
pam_ecryptfs enables automatic encrypted home directory mounting on login.
SEE ALSO
ecryptfs(7), ecryptfs-setup-private(1), pam(8)
