How to add escrow key?

Asked by Torsten Spindler

When a company decides to go with encrypted home folders, is there a way to preseed a key for the home folder encryption so that the company's key holder can always access the data on disk?

Question information

English Edit question
eCryptfs Edit question
No assignee Edit question
Solved by:
Dustin Kirkland 
Last query:
Last reply:
Revision history for this message
Best Dustin Kirkland  (kirkland) said :

No, there's not really a 'preseedable' way of installing a key,
Torsten. (But it wouldn't be hard to add one.)

To do what you want to do, you simply need the system that provisions
machines to run and save the output of the following:
 $ printf "%s" "login passphrase" | ecryptfs-unwrap-passphrase [file] -

Take the output of that, encrypt it with a master passphrase and
escrow it somewhere. Note that that requires the user's initial login
passphrase at system installation. Users can change their login
password (rewrap their mount passphrase) ad nauseum without you
needing to update anything.

FYI, I run a small prototype escrow service at


Revision history for this message
Torsten Spindler (tspindler) said :

Thanks for the answer, Dustin, that gets me a little bit further. Now I
wonder how can I recover the users data with help of the unwrapped
passphrase? I tried to specify it as a key file, but I'm not sure if
this should work at all:
# mount.ecryptfs -o
key=openssl:keyfile=/tmp/ecrypt.key /home/crypto/.Private /mnt

I do not completely understand the key option and which values are
legitimate as value.

Revision history for this message
Dustin Kirkland  (kirkland) said :

Have a look at this nifty utility that's new for 11.04 (Natty), but works on any older version of ubuntu/ecryptfs...


I'll be blogging about it as soon as 11.04 makes it into release candidate, but it should give you *exactly* what you need :-)

Revision history for this message
Torsten Spindler (tspindler) said :

Thanks a lot for your help, I went now through all the steps for

1) Created a system with encrypted home, added a user 'crypto'
2) Saved crypto's encryption passphrase via
$ printf "%s" "login passphrase" | ecryptfs-unwrap-passphrase
> /tmp/passphrase.crypto
Copied passphrase to a secure location
3) Rebooted the system
4) Logged in as superuser
5) Added ppa:tspindler/ecryptfs-utils to get the new tool on Lucid
6) Installed ecryptfs-utils new version
7) Moved crypto's wrapped passphrase out of the way
mv /home/crypto/.ecryptfs/wrapped-passphrase /home/crypto/.ecryptfs/gone-wrapped-passphrase
7) Used
# ecryptfs-recover-private /home/crypto/.Private
and recovered the data with help of the key stored in step 2)

Wishlist item would be to have a --ignore-wrapped-passphrase option for
ecryptfs-recover-private so I don't need to move it.

Revision history for this message
Torsten Spindler (tspindler) said :

Thanks Dustin Kirkland, that solved my question.

Revision history for this message
Dustin Kirkland  (kirkland) said :

That's a very reasonable wishlist bug, you're welcome to open that one.

Also, Torsten, ecryptfs-recover-private is a stand-alone shell script,
so you could really just wget that shell script from bzr, if you like,
rather than upgrading all of ecryptfs-utils.