ecryptfs and login passphrase vs mount passphrase

These are not my words but I can not explain it better …

login passphrase

This is the password you will have to enter each time you want to mount the encrypted directory. If you want auto-mounting on login to work, it has to be the same password you use to login to your user account.

mount passphrase

This is used to derive the actual file encryption master key. Thus, you should not enter a custom one unless you know what you are doing - instead press Enter to let it auto-generate a secure random one. It will be encrypted using the login passphrase and stored in this encrypted form in ~/.ecryptfs/wrapped-passphrase. Later it will automatically be decrypted ("unwrapped") again in RAM when needed, so you never have to enter it manually. Make sure this file does not get lost, otherwise you can never access your encrypted folder again! You may want to run ecryptfs-unwrap-passphrase to see the mount passphrase in unencrypted form, write it down on a piece of paper, and keep it in a safe (or similar), so you can use it to recover your encrypted data in case the wrapped-passphrase file is accidentally lost/corrupted or in case you forget the login passphrase.

Source


I got exactly the same problem as you did, I was very confused by the whole process, and the signification of all those passphrases. After digging, I found the website that @A.B. referred and it helped.

I would add a few things though :

The login passphrase is also called the wrapping passphrase. This last name makes more sense to me because it's the passphrase that wraps and unwraps the mount passphrase. It is called sometimes the login passphrase because by default, ecryptfs wants to use your user login password as wrapping passphrase.

IMHO, I find really unpractical and dangerous to have the wrapping passphrase be your login password, because if an intruder finds your login password, then there is no point in having an encrypted directory, because he can decrypt it with the same password.

Seeing what you said, I can only imagine that you have the same opinion :

I thought that the two passfrases were a double protection in case someone crack my login password, to protect my most private data.

All of that brings us to my final point: There is a simple way( yet not so obvious to someone new to the problem) to choose a wrapping passphrase different from your user login password. When creating your private directory, use the option -w, --wrapping (see man page for more info):

ecryptfs-setup-private -w

It probably also works on an already existing folder, but I think you also have to use -f to force the update.