Changing the password of an encrypted home directory not possible?!

Dear all,

I’m stumped - I now searched for quite a while to find out how to change the password of an encrypted home directory… YaST has the option to encrypt the home directory by using a container - that is, after encryption, there are USERNAME.img and USERNAME.key files in /home. Using pam_mount, the container will be mounted after login in /home/USERNAME.

So YaST uses the key file, but encrypts it by using the password of the user at creation time. Changing the password of the .img-container using luks methods isn’t possible, without knowing how this key file is encrypted - and I can’t find any documentation how it’s done!

cryptsetup luksAddKey doesn’t work, as the container doesn’t use a password (“No key available with this passphrase”). Using the key file (USERNAME.key) doesn’t work either, because the key file is encrypted (luksAddKey with -d results in the same message).

Now if (as a normal user) I change my password, logging in will not work anymore, as the container won’t be decrypted and mounted as my home dir. And why isn’t there any documentation about it or was I just too stupid to find it?

Thanks in advance and best regards!

I don’t bother with an encrypted /home/user but I think your password is encrypted with the folder and changing your user password is automatically picked up and folder re-encrypted (by pam).

This option was removed long ago. You marked your question as Tumbleweed but it does not have any option to do it. Either describe step by step how you created encrypted home on current tumbleweed (including installation of any additional packages) or tell what version of openSUSE you are really using.

I do have Tumbleweed and I used YaST to do it. The initial install was somewhere around 2016, I encrypted my home dir in October 2017 and currently my Tumbleweed version is 20180919. So in October 2017 that functionality still existed. Don’t you think that I wouldn’t have the problem if it was done by me and not by YaST?! And granted, the current YaST version doesn’t seem to have that option, which sucks, because my workaround now would have been to recreate my user with the new password and then copy all the data.

But since it has been removed, I will have to do it the hard way and recreate it manually with a new password.

I have not used this form of encrypted home directory. But I would guess that you could use (as root)

cryptsetup luksAddKey /path/to/container

to add an additional password.

You would have the same problem if you manually used cryptconfig. The problem is not what frontend you use, but what tool implements it.

But since it has been removed, I will have to do it the hard way and recreate it manually with a new password.

YaST never had option to add key, so I am not sure how it is related. And underlying cryptconfig only offered multiple keys during image creation, and even then you could only generate random keys, not use pre-exiting ones.

If you are truly adventures, you can hack cryptconfig to reuse existing key file in “cryptconfig create-key” instead of generating random one. This is actually pretty trivial.

You missed the point. cryptconfig (used in the past to encrypt user directories) generated keyfile with random content encrypted by user’s password. There was no option to explicitly decrypt it nor to encrypt arbitrary file. So while you of course can add key to LUKS container, you cannot (easily) use the same key to decrypt home.