Results 1 to 7 of 7

Thread: Changing the password of an encrypted home directory not possible?!

  1. #1

    Default Changing the password of an encrypted home directory not possible?!

    Dear all,

    I'm stumped - I now searched for quite a while to find out how to change the password of an encrypted home directory... YaST has the option to encrypt the home directory by using a container - that is, after encryption, there are USERNAME.img and USERNAME.key files in /home. Using pam_mount, the container will be mounted after login in /home/USERNAME.

    So YaST uses the key file, but encrypts it by using the password of the user at creation time. Changing the password of the .img-container using luks methods isn't possible, without knowing how this key file is encrypted - and I can't find any documentation how it's done!

    cryptsetup luksAddKey doesn't work, as the container doesn't use a password ("No key available with this passphrase"). Using the key file (USERNAME.key) doesn't work either, because the key file is encrypted (luksAddKey with -d results in the same message).

    Now if (as a normal user) I change my password, logging in will not work anymore, as the container won't be decrypted and mounted as my home dir. And why isn't there any documentation about it or was I just too stupid to find it?


    Thanks in advance and best regards!

  2. #2
    Join Date
    Jun 2008
    Location
    Yorkshire
    Posts
    322

    Default Re: Changing the password of an encrypted home directory not possible?!

    I don't bother with an encrypted /home/user but I think your password is encrypted with the folder and changing your user password is automatically picked up and folder re-encrypted (by pam).
    Pete

  3. #3
    Join Date
    Sep 2012
    Posts
    4,977

    Default Re: Changing the password of an encrypted home directory not possible?!

    Quote Originally Posted by Jansemon View Post
    YaST has the option to encrypt the home directory by using a container
    This option was removed long ago. You marked your question as Tumbleweed but it does not have any option to do it. Either describe step by step how you created encrypted home on current tumbleweed (including installation of any additional packages) or tell what version of openSUSE you are really using.

  4. #4

    Default Re: Changing the password of an encrypted home directory not possible?!

    Quote Originally Posted by arvidjaar View Post
    This option was removed long ago. You marked your question as Tumbleweed but it does not have any option to do it. Either describe step by step how you created encrypted home on current tumbleweed (including installation of any additional packages) or tell what version of openSUSE you are really using.
    I do have Tumbleweed and I used YaST to do it. The initial install was somewhere around 2016, I encrypted my home dir in October 2017 and currently my Tumbleweed version is 20180919. So in October 2017 that functionality still existed. Don't you think that I wouldn't have the problem if it was done by me and not by YaST?! And granted, the current YaST version doesn't seem to have that option, which sucks, because my workaround now would have been to recreate my user with the new password and then copy all the data.

    But since it has been removed, I will have to do it the hard way and recreate it manually with a new password.

  5. #5
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,373
    Blog Entries
    3

    Default Re: Changing the password of an encrypted home directory not possible?!

    Quote Originally Posted by Jansemon View Post
    So YaST uses the key file, but encrypts it by using the password of the user at creation time. Changing the password of the .img-container using luks methods isn't possible, without knowing how this key file is encrypted - and I can't find any documentation how it's done!
    I have not used this form of encrypted home directory. But I would guess that you could use (as root)
    Code:
    cryptsetup luksAddKey /path/to/container
    to add an additional password.
    openSUSE Leap 15.1; KDE Plasma 5;

  6. #6
    Join Date
    Sep 2012
    Posts
    4,977

    Default Re: Changing the password of an encrypted home directory not possible?!

    Quote Originally Posted by Jansemon View Post
    Don't you think that I wouldn't have the problem if it was done by me and not by YaST?!
    You would have the same problem if you manually used cryptconfig. The problem is not what frontend you use, but what tool implements it.
    But since it has been removed, I will have to do it the hard way and recreate it manually with a new password.
    YaST never had option to add key, so I am not sure how it is related. And underlying cryptconfig only offered multiple keys during image creation, and even then you could only generate random keys, not use pre-exiting ones.

    If you are truly adventures, you can hack cryptconfig to reuse existing key file in "cryptconfig create-key" instead of generating random one. This is actually pretty trivial.

  7. #7
    Join Date
    Sep 2012
    Posts
    4,977

    Default Re: Changing the password of an encrypted home directory not possible?!

    Quote Originally Posted by nrickert View Post
    Code:
    cryptsetup luksAddKey /path/to/container
    You missed the point. cryptconfig (used in the past to encrypt user directories) generated keyfile with random content encrypted by user's password. There was no option to explicitly decrypt it nor to encrypt arbitrary file. So while you of course can add key to LUKS container, you cannot (easily) use the same key to decrypt home.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •