SSH with authorized_keys to an Ubuntu system with encrypted homedir?

Change this line in your sshd_config file:

AuthorizedKeysFile /etc/ssh/%u/authorized_keys

And then move your authorized_keys file to /etc/ssh/your-username/authorized_keys

This post documents another way to solve this.


This solution was inspired by this post. IMHO it is much better than modifying your /etc/ssh/sshd_config since it doesn't require root access at all.

# Make your public key accessible
mkdir -m 700 /home/.ecryptfs/$USER/.ssh
echo $YOUR_PUBLIC_KEY > /home/.ecryptfs/$USER/.ssh/authorized_keys
ln -s /home/.ecryptfs/$USER/.ssh/authorized_keys ~/.ssh/authorized_keys
ecryptfs-umount-private
chmod 700 $HOME
mkdir -m 700 ~/.ssh
ln -s /home/.ecryptfs/$USER/.ssh/authorized_keys ~/.ssh/authorized_keys

# Make it auto-mount with first login.
# Note: it can cause problems with automated login.
echo /usr/bin/ecryptfs-mount-private > ~/.profile
echo cd >> ~/.profile
echo source .profile >> ~/.profile
ecryptfs-mount-private

I just spent some time messing around with this, and the answer is that it's pretty much fundamentally impossible. It is possible to set up passwordless public-key-authenticated logins via ssh, so you don't have to type in your password to log in, but that doesn't get you anywhere, because your home directory is still encrypted.

The simple fact is that your encrypted home directory is encrypted with a password*, so the only way to decrypt it is with that password.

And if you're thinking that in theory it should be possible to use your ssh key to decrypt the mount passphrase upon login, that won't work because your private key is never sent to the server at all.

So basically, if you want encryption, you have to use passwords. Encrypted home directories are incompatible with fingerprint logins for the same reason.


*I know it's more complicated than a single password, but let's keep it simple for now.