Can root see my encrypted /home folder?
Clash Royale CLAN TAG#URR8PPP
up vote
16
down vote
favorite
Just wondering if I use ecryptfs to encrypt my /home folder
sudo ecryptfs-migrate-home -u username
Can another user with root privilege change my password, then login my account using the new password see my encrypted /home?
If I change my own password, I suppose I can still access my encrypted /home , how is it different from root changing my password and login as me?
permissions password encryption ecryptfs
asked Sep 4 at 10:23
albertma789
8316
add a comment |Â
up vote
16
down vote
favorite
Just wondering if I use ecryptfs to encrypt my /home folder
sudo ecryptfs-migrate-home -u username
Can another user with root privilege change my password, then login my account using the new password see my encrypted /home?
If I change my own password, I suppose I can still access my encrypted /home , how is it different from root changing my password and login as me?
permissions password encryption ecryptfs
asked Sep 4 at 10:23
albertma789
8316
add a comment |Â
up vote
16
down vote
favorite
up vote
16
down vote
favorite
Just wondering if I use ecryptfs to encrypt my /home folder
sudo ecryptfs-migrate-home -u username
Can another user with root privilege change my password, then login my account using the new password see my encrypted /home?
If I change my own password, I suppose I can still access my encrypted /home , how is it different from root changing my password and login as me?
permissions password encryption ecryptfs
asked Sep 4 at 10:23
albertma789
8316
Just wondering if I use ecryptfs to encrypt my /home folder
sudo ecryptfs-migrate-home -u username
Can another user with root privilege change my password, then login my account using the new password see my encrypted /home?
If I change my own password, I suppose I can still access my encrypted /home , how is it different from root changing my password and login as me?
permissions password encryption ecryptfs
permissions password encryption ecryptfs
asked Sep 4 at 10:23
albertma789
8316
asked Sep 4 at 10:23
albertma789
8316
asked Sep 4 at 10:23
albertma789
8316
asked Sep 4 at 10:23
albertma789
8316
asked Sep 4 at 10:23
albertma789
8316
8316
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
23
down vote
accepted
Short answer: Yes and no.
Can root see my encrypted /home folder?
Yes. As long as you are logged in, root as well as any sudo user can see your decrypted files. Also, when you wake up from sleep, your /home will still be decrypted.
Also there is a bug in ecryptfs that prevents unmounting the decrypted /home folder at logout. You should instead shutdown or restart the machine. See this question for more information.
Can another user with root privilege change my password, then login my account using the new password see my encrypted /home?
No. Your /home folder is not encrypted with your password, but with a passphrase which is encrypted with your password. Another user changing your password will not affect the passphrase.
At the first login after an administrative password change, you have to mount your encrypted home manually and rewrap the passphrase. For these tasks you need your old and the new password
ecryptfs-mount-private
ecryptfs-rewrap-passphrase ~/.ecryptfs/wrapped-passphrase
When you change your password, the home directory passphrase is re-encrypted with your new password, so you should have continued access to your files with the new password. This is handled via PAM (Pluggable Authentication Modules) (via).
See this related question.
answered Sep 4 at 10:47
RoVo
5,5661237
8
There is an issue withecryptfsand systemd. Once a user is logged in and the home folder is decrypted, it stays that way whether that user remains logged in or they log out. The only way to re-encrypt the home folder is to restart the system. This bug hasn't been fixed yet.
– Stormlord
Sep 4 at 11:02
thanks, added that information
– RoVo
Sep 4 at 11:06
add a comment |Â
up vote
9
down vote
The only answer: yes. The root user of a system could easily install a keylogger or other software to silently record your passphrase - they then have complete access to all your files and without you knowing if they so choose.
The root user of a system can do everything on that system. They essentially own all the data associated with it too. UNLESS your data was encrypted on a different system and then brought over and you didn't decrypt it but I don't think we're talking about that are we.
answered Sep 4 at 12:10
John Hunt
24114
4
They could even modify the encryption software so that it hands over the key, or copies decypted files to /root or whatever.. there's no limit to what they could do.
– John Hunt
Sep 4 at 12:11
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
23
down vote
accepted
Short answer: Yes and no.
Can root see my encrypted /home folder?
Yes. As long as you are logged in, root as well as any sudo user can see your decrypted files. Also, when you wake up from sleep, your /home will still be decrypted.
Also there is a bug in ecryptfs that prevents unmounting the decrypted /home folder at logout. You should instead shutdown or restart the machine. See this question for more information.
Can another user with root privilege change my password, then login my account using the new password see my encrypted /home?
No. Your /home folder is not encrypted with your password, but with a passphrase which is encrypted with your password. Another user changing your password will not affect the passphrase.
At the first login after an administrative password change, you have to mount your encrypted home manually and rewrap the passphrase. For these tasks you need your old and the new password
ecryptfs-mount-private
ecryptfs-rewrap-passphrase ~/.ecryptfs/wrapped-passphrase
When you change your password, the home directory passphrase is re-encrypted with your new password, so you should have continued access to your files with the new password. This is handled via PAM (Pluggable Authentication Modules) (via).
See this related question.
answered Sep 4 at 10:47
RoVo
5,5661237
8
There is an issue withecryptfsand systemd. Once a user is logged in and the home folder is decrypted, it stays that way whether that user remains logged in or they log out. The only way to re-encrypt the home folder is to restart the system. This bug hasn't been fixed yet.
– Stormlord
Sep 4 at 11:02
thanks, added that information
– RoVo
Sep 4 at 11:06
add a comment |Â
up vote
23
down vote
accepted
Short answer: Yes and no.
Can root see my encrypted /home folder?
Yes. As long as you are logged in, root as well as any sudo user can see your decrypted files. Also, when you wake up from sleep, your /home will still be decrypted.
Also there is a bug in ecryptfs that prevents unmounting the decrypted /home folder at logout. You should instead shutdown or restart the machine. See this question for more information.
Can another user with root privilege change my password, then login my account using the new password see my encrypted /home?
No. Your /home folder is not encrypted with your password, but with a passphrase which is encrypted with your password. Another user changing your password will not affect the passphrase.
At the first login after an administrative password change, you have to mount your encrypted home manually and rewrap the passphrase. For these tasks you need your old and the new password
ecryptfs-mount-private
ecryptfs-rewrap-passphrase ~/.ecryptfs/wrapped-passphrase
When you change your password, the home directory passphrase is re-encrypted with your new password, so you should have continued access to your files with the new password. This is handled via PAM (Pluggable Authentication Modules) (via).
See this related question.
answered Sep 4 at 10:47
RoVo
5,5661237
8
There is an issue withecryptfsand systemd. Once a user is logged in and the home folder is decrypted, it stays that way whether that user remains logged in or they log out. The only way to re-encrypt the home folder is to restart the system. This bug hasn't been fixed yet.
– Stormlord
Sep 4 at 11:02
thanks, added that information
– RoVo
Sep 4 at 11:06
add a comment |Â
up vote
23
down vote
accepted
up vote
23
down vote
accepted
Short answer: Yes and no.
Can root see my encrypted /home folder?
Yes. As long as you are logged in, root as well as any sudo user can see your decrypted files. Also, when you wake up from sleep, your /home will still be decrypted.
Also there is a bug in ecryptfs that prevents unmounting the decrypted /home folder at logout. You should instead shutdown or restart the machine. See this question for more information.
Can another user with root privilege change my password, then login my account using the new password see my encrypted /home?
No. Your /home folder is not encrypted with your password, but with a passphrase which is encrypted with your password. Another user changing your password will not affect the passphrase.
At the first login after an administrative password change, you have to mount your encrypted home manually and rewrap the passphrase. For these tasks you need your old and the new password
ecryptfs-mount-private
ecryptfs-rewrap-passphrase ~/.ecryptfs/wrapped-passphrase
When you change your password, the home directory passphrase is re-encrypted with your new password, so you should have continued access to your files with the new password. This is handled via PAM (Pluggable Authentication Modules) (via).
See this related question.
answered Sep 4 at 10:47
RoVo
5,5661237
Short answer: Yes and no.
Can root see my encrypted /home folder?
Yes. As long as you are logged in, root as well as any sudo user can see your decrypted files. Also, when you wake up from sleep, your /home will still be decrypted.
Also there is a bug in ecryptfs that prevents unmounting the decrypted /home folder at logout. You should instead shutdown or restart the machine. See this question for more information.
Can another user with root privilege change my password, then login my account using the new password see my encrypted /home?
No. Your /home folder is not encrypted with your password, but with a passphrase which is encrypted with your password. Another user changing your password will not affect the passphrase.
At the first login after an administrative password change, you have to mount your encrypted home manually and rewrap the passphrase. For these tasks you need your old and the new password
ecryptfs-mount-private
ecryptfs-rewrap-passphrase ~/.ecryptfs/wrapped-passphrase
When you change your password, the home directory passphrase is re-encrypted with your new password, so you should have continued access to your files with the new password. This is handled via PAM (Pluggable Authentication Modules) (via).
See this related question.
answered Sep 4 at 10:47
RoVo
5,5661237
edited Sep 4 at 11:05
answered Sep 4 at 10:47
RoVo
5,5661237
answered Sep 4 at 10:47
RoVo
5,5661237
answered Sep 4 at 10:47
RoVo
5,5661237
5,5661237
8
There is an issue withecryptfsand systemd. Once a user is logged in and the home folder is decrypted, it stays that way whether that user remains logged in or they log out. The only way to re-encrypt the home folder is to restart the system. This bug hasn't been fixed yet.
– Stormlord
Sep 4 at 11:02
thanks, added that information
– RoVo
Sep 4 at 11:06
add a comment |Â
8
There is an issue withecryptfsand systemd. Once a user is logged in and the home folder is decrypted, it stays that way whether that user remains logged in or they log out. The only way to re-encrypt the home folder is to restart the system. This bug hasn't been fixed yet.
– Stormlord
Sep 4 at 11:02
thanks, added that information
– RoVo
Sep 4 at 11:06
8
8
There is an issue with
ecryptfs and systemd. Once a user is logged in and the home folder is decrypted, it stays that way whether that user remains logged in or they log out. The only way to re-encrypt the home folder is to restart the system. This bug hasn't been fixed yet.– Stormlord
Sep 4 at 11:02
There is an issue with
ecryptfs and systemd. Once a user is logged in and the home folder is decrypted, it stays that way whether that user remains logged in or they log out. The only way to re-encrypt the home folder is to restart the system. This bug hasn't been fixed yet.– Stormlord
Sep 4 at 11:02
thanks, added that information
– RoVo
Sep 4 at 11:06
thanks, added that information
– RoVo
Sep 4 at 11:06
add a comment |Â
up vote
9
down vote
The only answer: yes. The root user of a system could easily install a keylogger or other software to silently record your passphrase - they then have complete access to all your files and without you knowing if they so choose.
The root user of a system can do everything on that system. They essentially own all the data associated with it too. UNLESS your data was encrypted on a different system and then brought over and you didn't decrypt it but I don't think we're talking about that are we.
answered Sep 4 at 12:10
John Hunt
24114
4
They could even modify the encryption software so that it hands over the key, or copies decypted files to /root or whatever.. there's no limit to what they could do.
– John Hunt
Sep 4 at 12:11
add a comment |Â
up vote
9
down vote
The only answer: yes. The root user of a system could easily install a keylogger or other software to silently record your passphrase - they then have complete access to all your files and without you knowing if they so choose.
The root user of a system can do everything on that system. They essentially own all the data associated with it too. UNLESS your data was encrypted on a different system and then brought over and you didn't decrypt it but I don't think we're talking about that are we.
answered Sep 4 at 12:10
John Hunt
24114
4
They could even modify the encryption software so that it hands over the key, or copies decypted files to /root or whatever.. there's no limit to what they could do.
– John Hunt
Sep 4 at 12:11
add a comment |Â
up vote
9
down vote
up vote
9
down vote
The only answer: yes. The root user of a system could easily install a keylogger or other software to silently record your passphrase - they then have complete access to all your files and without you knowing if they so choose.
The root user of a system can do everything on that system. They essentially own all the data associated with it too. UNLESS your data was encrypted on a different system and then brought over and you didn't decrypt it but I don't think we're talking about that are we.
answered Sep 4 at 12:10
John Hunt
24114
The only answer: yes. The root user of a system could easily install a keylogger or other software to silently record your passphrase - they then have complete access to all your files and without you knowing if they so choose.
The root user of a system can do everything on that system. They essentially own all the data associated with it too. UNLESS your data was encrypted on a different system and then brought over and you didn't decrypt it but I don't think we're talking about that are we.
answered Sep 4 at 12:10
John Hunt
24114
edited Sep 6 at 10:17
answered Sep 4 at 12:10
John Hunt
24114
answered Sep 4 at 12:10
John Hunt
24114
answered Sep 4 at 12:10
John Hunt
24114
24114
4
They could even modify the encryption software so that it hands over the key, or copies decypted files to /root or whatever.. there's no limit to what they could do.
– John Hunt
Sep 4 at 12:11
add a comment |Â
4
They could even modify the encryption software so that it hands over the key, or copies decypted files to /root or whatever.. there's no limit to what they could do.
– John Hunt
Sep 4 at 12:11
4
4
They could even modify the encryption software so that it hands over the key, or copies decypted files to /root or whatever.. there's no limit to what they could do.
– John Hunt
Sep 4 at 12:11
They could even modify the encryption software so that it hands over the key, or copies decypted files to /root or whatever.. there's no limit to what they could do.
– John Hunt
Sep 4 at 12:11
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1071949%2fcan-root-see-my-encrypted-home-folder%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
