Encrypted Home directories + SSH Key Authentication

Posted on by

There is an interesting it-makes-sense-when-you-think-about-it issue with Encrypted Home directories and SSH key authentication I’ve recently discovered in Ubuntu (it will affect any distro though). Since Encrypted home directories aren’t decrypted until the login is successful, and your SSH keys are stored in your home directory, the first SSH connection you make will require a password. If you have password authentication turned off, you’ll have big issues.

I found a question on Super User which explains solutions to this issue. My solution follows closely on this answer, although I have added in a symbolic link to make it easier to manage.

1. Create .ssh folder in /home for the keys to be stored

sudo mkdir /home/.ssh

2. Move existing authorized_keys file into .ssh dir as username

sudo mv ~/.ssh/authorized_keys /home/.ssh/username

3. Create symbolic link to authorized_keys file in user .ssh dir

ln -s /home/.ssh/username ~/.ssh/authorized_keys

4. Update sshd config file to set the new path for the authorized_keys file

sudo vim /etc/ssh/sshd_config

Change the AuthorizedKeysFile line to:

AuthorizedKeysFile      /home/.ssh/%u

5. Reboot the computer

sudo shutdown -r now

6. Login to your server and you shoud be presented with a minimal un-decrypted home directory… You will need to create and edit a .profile file in there to get ecryptfs to mount your home directory.

sudo vim ~/.profile

Add these lines:

ecryptfs-mount-private
cd /home/username

7. Log out/Restart, and go back in again. You should be promoted for your password after SSH key auth, and then be presented with your decrypted home directory.

You should now be able to login using SSH keys every time, no matter if your home dir is decrypted or not :-)

6 thoughts on “Encrypted Home directories + SSH Key Authentication

  1. Pingback: Encrypted Home directory not auto mounting | PHP Developer Resource

  2. Pingback: Setting Up My New Home Server ⊆ David Xia

  3. Hello!
    It should works using public key authentication?
    I need to use some scripts that depends of public key authentication.

    Jordan

    Reply

    • Hi Jordan,

      Unfortunately, you can’t rely on public key auth alone when you have an encrypted home directory, for two reasons:

      1) Your public SSH key typically encrypted in your home directory, which the system cannot decrypt without your password. So there is no way for it to validate the incoming public key without first decrypting your home directory using a password.

      2) Even if you move your SSH key outside your home directory, like I explained above, your SSH keys cannot decrypt your home directory because they don’t know your password.

      That said, there might be a solution involving encrypting your password with your ssh key, but I don’t know if it… Have a look around and ask on http://askubuntu.com/ :)

      Reply

  4. Hi Stephen,

    thx for your manual. It works like a charm. I just have the problem that my .bashrc is not being parsed any more. So I wanted to add source ~/.bashrc at the end of the .profile file. It is not in my home and I could not find it anywhere else. Do you have any idea, where it is located?

    Thx & Rgds
    Jens

    Reply

    • Hi again,

      with writing these lines the solution came to my mind;-)
      I just did a ecryptfs-umount-private and after that .profile was accessible in my home.

      Thx & Rgds
      Jens

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>