10

If I give ecryptfs-unwrap-passphrase my login password, it outputs an hashed string. Is that my passphrase (still unknow...) ? Or it is an hash of the login password ?

What really interest me, it's to be able to backup the passphrase. Sorry for the naive question...

CapelliC
  • 257
  • 1
  • 2
  • 10

3 Answers3

17

It's not a hashed value, but it is the 128-bit value that is the symmetric encryption/decryption passphrase (key) for your files. It just looks like an MD5 hash because it's a 128-bit value.

The passphrase you're queried for is the user's (your?) login password, with which the encryption passphrase/key is encrypted (in ecryptfs' terms "wrapped").

This enables you to change your login password (with which the encryption passphrase is wrapped) without changing the encryption passphrase itself (which would result in the need to re-encrypt all encrypted files).

Think of it like an SSH private key that you protected with a passphrase - only that, knowing the "raw" encryption passphrase, you can recover your encrypted files without knowing the wrapping passphrase.

So you may store this 128-bit value somewhere safe (i.e. write it down and lock it away somewhere), and even if you forget your wrapping passphrase (i.e. login password), or something else goes wrong, you will be able to recover your encrypted files with the ecryptfs-utils - particularly ecryptfs-recover-private after answering the question if you know your LOGIN password with No; it will then ask if you know the encryption passphrase, which you may then type in from the paper on which you've written it down.

vucalur
  • 266
  • 4
  • 17
Nico R
  • 286
  • 2
  • 4
  • 4
    The fact that here the login password is suddenly called "passphrase" gave me lot of headache. Nowhere was it mentioned that when it is asking for passphrase, one is supposed to type the login password. I think I may have tried also my login password, but might have mistyped it and then gave up and tried different passphrases that I use. Really confusing, I banged my head on wall for 5 hours before I found your wonderful answer! :) Thanks a lot! – Ossi Viljakainen Sep 11 '17 at 08:10
  • agree @OssiViljakainen, couldnt be more confusing! – benzkji Mar 23 '18 at 08:40
  • 2
    Using `ecryptfs-unwrap-passphrase` while being logged into an account with an encrypted home dir is even more confusing. You execute a command that unequivocally tells your computer to unwrap (=output) your passphrase (the 128-bit one), and then, right thereafter, get asked to enter your "Passphrase:" - heck, I'm asking _you_! Please don't expect non-clairvoyants to magically know that "Passphrase:" now means "Enter your login password". – Nico R Sep 01 '22 at 06:05
3

ecryptfs-unwrap-passphrase is used to display your mount passphrase. If you want to see your mount passphrase, use the following command:

ecryptfs-unwrap-passphrase /home/yourusername/.ecryptfs/wrapped-passphrase

More related information can be found here: https://help.ubuntu.com/community/EncryptedPrivateDirectory#Recovering_Your_Mount_Passphrase

Yalok Iy
  • 334
  • 5
  • 12
  • thanks @Yalok. But it keeps answering with an hashed - the very same it answers when I call ecryptfs-unwrap-passphrase without /home/yourusername/.ecryptfs/wrapped-passphrase. So what is the hashed string about ? It query for a passphrase, that I didn't saved. It did. So I enter my user password and it outputs hash. How to recover the unhashed passphrase, or I can only change it ? – CapelliC Aug 16 '15 at 18:26
  • I have the same setup with ecryptfs on my PC. I did it long time ago and I don't remember if I did enter such a long passphrase(or it's a hashed value indeed). You can test using a live CD and see yourself if the output is a passphrase indeed or not. Here is how to test it: https://help.ubuntu.com/community/EncryptedPrivateDirectory#Live_CD_method_of_opening_a_encrypted_home_directory – Yalok Iy Aug 16 '15 at 19:32
1

Did you ever resolve this? I'm suspecting that you accidentally checked the "Encrypt home directory" box when you installed Ubuntu. I've sometimes neglected to make a copy of the unwrapped hex passphrase myself. I don't know if there's a way to unlock the encrypted files on a new system if you don't have the hex passphrase. Thanks for the reminder. It may have been too late for you.

It looks like since timeshift normally runs as root that it doesn't access the decrypted versions of the directories and saves the encrypted versions of them. This is actually a good thing when you back up to an unencrypted external hard drive but it makes it more important to save the unwrapped hex passphrase. Maybe the Ubuntu developers should require that a USB stick be inserted at installation time to save it on?

thalwegz
  • 11
  • 1
  • You're right, I did checked the "Encrypt home directory" box when have installed Ubuntu (12.04, IIRC). Fortunately, I didn't had necessity to recover the old files, just copied them on the new machine, and the old got retired. Seems the crypt interface is somewhat counterintuitive, hope they patched it. Never tried again.... – CapelliC Aug 03 '20 at 19:02
  • I'm glad it worked out. Now that I'm braver, using whole-disk encryption is probably the way to go. Just be sure to LUKS-encrypt your backup drive, too, if you use whole-disk encryption on your install drive. – thalwegz Aug 03 '20 at 19:06