New password does not unlock encrypted home folder

Added by Jose Jurado 13 days ago

The installer option to encrypt the home folder was used when installing Calculate 18 xfce version. Recently, the password was changed in a terminal using passwd. How can the new password be assigned to be used automatically as the new passphrase to unlock one's encrypted home folder? Note: This post was originally posted under Forum/Calculate Utilities but got no response; in retrospect, perhaps this section would be more appropriate.

On reboot, the display manager accepted my new password, but instead of displaying my desktop, a message appeared:
Current shell:
cd /home/myusername
Failed to mount ecrypted data:
":Failed to unwrap the passphrase"
Failed to configure the user account

A tty was launched by using Ctr+Alt+F1, and login was possible using my username and my new password, but the following message appeared:
Signature not found in user keyring
Perhaps try the interactive
'ecryptfs-mount-private'

The home folder appeared encrypted; a README.txt file reported that THIS DIRECTORY HAS BEEN UNMOUNTED TO PROTECT YOUR DATA:

$ pwd
/home/myusername
$ ls
Access-your-Private-Data.desktop     README.txt

My home folder was unlocked by entering my former password for the following:

$ ecryptfs-mount-private

The response was as follows, but with sig modified:
Inserted auth tok
sig [d8f46234234a4a0f7f]
into the user session keyring
INFO: Your private directory has been mounted
INFO: To see this change in your current shell
cd /home/myusername

This 'auth tok' message reappears each time I reboot and repeat the procedure for another session (reported otherwise in earlier edit).

$ls still reported the same two folder items shown above, but a message helped find my usual home folder contents by indicating correctly that the home folder could be accessed by doing cd /home/myusername. This did indeed demonstrate unencrypted home folder contents, but this was unusual because after running ecryptfs-mount-private, $pwd reported that I was already at that path.

An x11 session can be launched with $startx, but at that point perhaps it could be safer to return to the x11 session already running by doing Ctr+Alt+F7, as login works fully now because the home folder has been mounted.

Perhaps an additional step to change the passphrase is required. An explanation at the Arch Wiki re ecryptfs-rewrap-passphrase may point to a solution:

$ ecryptfs-rewrap-passphrase /home/$USER/.ecryptfs/wrapped-passphrase

Should one also 'check' the keyring as follows (and not 'clear' it with keyctl clear @u if the new passphrase was changed correctly)?

$ keyctl list @u

Does Calculate Linux just encrypt /home/myusername and not /home (nor /swap)?

man ecryptfs-rewrap-passphrase points to further help at /usr/share/doc/ecryptfs-utils/ecryptfs-faq.html, which seems to correspond to /usr/share/doc/ecryptfs-utils-108-r1/html/ecryptfs-faq.html, but it does not spell out commands for my situation. The man page points to further support also at http://ecryptfs.org, but I'm not sure whether the solution lies with ecryptfs-rewrap-passphrase regarding passphrase changes in Calculate Linux.

Originally, I thought that perhaps my password was not adopted as the passphrase automatically because of earlier system hardening, such as the following?

chmod 700 /root
chmod 600 /etc/cron.allow
chmod 600 /etc/at.allow
chmod 700 /usr/lib64/audit
chmod -R 700 /etc/skel

Could someone please confirm whether simply executing the ecryptfs-rewrap-passphrase command above in a tty will prompt me to change my passphrase appropriately for this OS, perhaps after executing ecryptfs-mount-private? Thank you for any help.


Thank you!