[SOLVED] Home encryption

[Menard]

When I installed LM20 I activated the home encryption and some months later I installed LM20.1 on another partition without home encryption (not sure it was an option)
then I use these 2 Mints with the same home partition ... how is it possible ? How the other Mint can decrypt the home of my encrypted one ?

[xenopeek]

Home encryption is per user. So if you're using different user accounts on your LM20 and LM20.1 installations, even if /home is on a shared partition, if one user has opted for home encryption and the other hasn't—that's why only one user is using home encryption. Your home is your own.
Edit: see rene and dave0808's answers below instead

[rene]

I believe xenopeek above answered a different question than asked. That is: a user's encrypted home directory lives under /home/.ecryptfs/<username> and is on login of said user decrypted and mounted on /home/<username>. This decryption happens (in a two-step process; not important here) under control of the user's login password: it appears you picked the same password for that same username the second time around. Shorter, all as to an encrypted home directory is contained under /home so if you reuse /home, the username AND the password all is as expected.

[EDIT] Managed to read the post differently as well; question then is if the post is "how come this Just Works?" (my answer) or "How come this does not Just Work?" (his).

[dave0808]

My guess is that your users on both systems use the same password. The password unlocks your crypto key, which in turns allows the encrypted data to be mounted and accessed.

[xenopeek]

You're right rene, I answered the wrong question. Whoops.

[Menard]

Oh yes that's right, I use the same password
and one time it failed, the 2 Mint are similar with the same user accounts but I had the first account on LM20.1 opened with the second account's data , or it may be the reverse I don't remember

[xenopeek]

One thing to be aware of: when you change the password on an account, the encryption key is rewrapped with that password. On the other account you can still log in with the old password (as you've not changed it on the Linux Mint install) but that password won't unwrap the encryption key (because it's wrapped with the other password) so you will no longer be able to access your files from that account.

[Menard]

OK yes I understand this , and do you know if it is normal to have an ".ecryptfs" folder in /home or is this only when home is encrypted ?
So weird that I have it as i am not on the session that I had as encrypted
I tried the ubuntu process to stop home encryption, and it uninstall this application but I have still this folder in home (.ecryptfs) and this account's icon is tagged with a little cross (because it is an admin account ?)

Anyway I don't know how to check if this account is still encrypted

[dave0808]

OK yes I understand this , and do you know if it is normal to have an ".ecryptfs" folder in /home or is this only when home is encrypted ?

Yes, that is where the encrypted data is stored.

So weird that I have it as i am not on the session that I had as encrypted

I think you have misunderstood. When you installed your second system, used the same /home partition, and used the same username, then the user on your second system was already setup for an encrypted home. Equally as you've shared the /home partition, then the ".ecryptfs" is going to exist on both systems.

I tried the ubuntu process to stop home encryption, and it uninstall this application but I have still this folder in home (.ecryptfs) and this account's icon is tagged with a little cross (because it is an admin account ?)

Anyway I don't know how to check if this account is still encrypted

You can check the partition's mount settings...

Code: Select all

mount | grep /home/<username>

Obviously replace <username> with your actual login name.

If you get no output from the command, then you're not using an encrypted file system (or you've typed the command in wrong). If it is encrypted, you will get something like the following...

Code: Select all

$ mount | grep /home/dave0808
/home/.ecryptfs/dave0808/.Private on /home/dave0808 type ecryptfs (rw,nosuid,nodev,relatime,ecryptfs_fnek_sig=xxxxxxxxx,ecryptfs_sig=xxxxxxxxx,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)

[Menard]

Before reading you I've made further tests, from a Mint installation USB drive I opened the supposed encrypted folder in the home partition and I could see the content and copy a folder on an ntfs partition and so from my standard LM I could read the contents of a file, so either I succeeded to stop the autoencryption of the home or it works only unconstantly (not reliable) and in the first cas I could delete this little .ecryptfs folder (?)

There I am not on my admin account, the only having been encrypted so i cannot execute your command lines

[dave0808]

It will be useful to boot into both of your installed systems and run the command I posted, just to double check that you have removed the encryption and that you can still access all of the files that you expect in your home directory. It does not hurt to be thorough especially before deleting something like this.

Check for which users the encryption was setup, by listing the the contents of /home/.ecryptfs. If you used the same username on both systems, then it should be the only one listed, unless the process you used to remove the encryption has also removed the directory. If there's nothing listed in that directory, then you have removed it fully.

If your user is listed there, then boot into both systems, login as your user, and check that the following command gives no output...

Code: Select all

mount | grep $USER

If you get no output that is related to ecryptfs on both systems, you could then safely remove the directory. Personally I would back it up first before removing it, just in case.

[Menard]

It's is done , so it 's ok , the folder contains a subfolder named as the encrypted user account's home, and the commands give nothing from both Mint OS
Thanks