Encrypted home folder still accessible after logout












11















I you have an account with an encrypted home folder, you can't access the user's plain text data in their home folder if that user hasn't logged in, yet, since the system last booted up. This is what I expected because it should in fact not be practically feasible to access a user's home folder without their password being entered.



However, I found that when a user with an encrypted home folder logs in and then logs out, the plain text data in their home folder still is accessible to other users. Sufficient access privileges are required, of course.



w doesn't list the user and the output of sudo pgrep -u <username> is empty, indicating that the user doesn't have any running processes.



What is the reason for this behavior? Why not just lock the user's home folder after they logged out?






16.04 files encryption home-directory privacy







share|improve this question























  • Could you please include the output of grep -Fe ecryptfs /var/log/auth.log from around the time the user logged out?

    – David Foerster
    Apr 30 '17 at 14:25













  • The command yields this output: pastebin.com/jZXdahbJ According to Emacs, the only lines which contain the string "ecryptfs" are the lines which were produced when I ran that command.

    – UTF-8
    Apr 30 '17 at 14:37











  • The result is as expected just the lines which Emacs already showed me: pastebin.com/VtV7iCDg

    – UTF-8
    Apr 30 '17 at 14:44











  • Ok. It was worth a look.

    – David Foerster
    Apr 30 '17 at 14:55











  • I have noticed this bug in persistent live systems too (in an attempt to create a second user with encrypted home).

    – sudodus
    Jul 6 '17 at 4:31
















11















I you have an account with an encrypted home folder, you can't access the user's plain text data in their home folder if that user hasn't logged in, yet, since the system last booted up. This is what I expected because it should in fact not be practically feasible to access a user's home folder without their password being entered.



However, I found that when a user with an encrypted home folder logs in and then logs out, the plain text data in their home folder still is accessible to other users. Sufficient access privileges are required, of course.



w doesn't list the user and the output of sudo pgrep -u <username> is empty, indicating that the user doesn't have any running processes.



What is the reason for this behavior? Why not just lock the user's home folder after they logged out?






16.04 files encryption home-directory privacy







share|improve this question























  • Could you please include the output of grep -Fe ecryptfs /var/log/auth.log from around the time the user logged out?

    – David Foerster
    Apr 30 '17 at 14:25













  • The command yields this output: pastebin.com/jZXdahbJ According to Emacs, the only lines which contain the string "ecryptfs" are the lines which were produced when I ran that command.

    – UTF-8
    Apr 30 '17 at 14:37











  • The result is as expected just the lines which Emacs already showed me: pastebin.com/VtV7iCDg

    – UTF-8
    Apr 30 '17 at 14:44











  • Ok. It was worth a look.

    – David Foerster
    Apr 30 '17 at 14:55











  • I have noticed this bug in persistent live systems too (in an attempt to create a second user with encrypted home).

    – sudodus
    Jul 6 '17 at 4:31














11












11








11


4






I you have an account with an encrypted home folder, you can't access the user's plain text data in their home folder if that user hasn't logged in, yet, since the system last booted up. This is what I expected because it should in fact not be practically feasible to access a user's home folder without their password being entered.



However, I found that when a user with an encrypted home folder logs in and then logs out, the plain text data in their home folder still is accessible to other users. Sufficient access privileges are required, of course.



w doesn't list the user and the output of sudo pgrep -u <username> is empty, indicating that the user doesn't have any running processes.



What is the reason for this behavior? Why not just lock the user's home folder after they logged out?






16.04 files encryption home-directory privacy







share|improve this question














I you have an account with an encrypted home folder, you can't access the user's plain text data in their home folder if that user hasn't logged in, yet, since the system last booted up. This is what I expected because it should in fact not be practically feasible to access a user's home folder without their password being entered.



However, I found that when a user with an encrypted home folder logs in and then logs out, the plain text data in their home folder still is accessible to other users. Sufficient access privileges are required, of course.



w doesn't list the user and the output of sudo pgrep -u <username> is empty, indicating that the user doesn't have any running processes.



What is the reason for this behavior? Why not just lock the user's home folder after they logged out?






16.04 files encryption home-directory privacy




16.04 files encryption home-directory privacy






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Apr 30 '17 at 14:16









UTF-8UTF-8

3,63352150




3,63352150













  • Could you please include the output of grep -Fe ecryptfs /var/log/auth.log from around the time the user logged out?

    – David Foerster
    Apr 30 '17 at 14:25













  • The command yields this output: pastebin.com/jZXdahbJ According to Emacs, the only lines which contain the string "ecryptfs" are the lines which were produced when I ran that command.

    – UTF-8
    Apr 30 '17 at 14:37











  • The result is as expected just the lines which Emacs already showed me: pastebin.com/VtV7iCDg

    – UTF-8
    Apr 30 '17 at 14:44











  • Ok. It was worth a look.

    – David Foerster
    Apr 30 '17 at 14:55











  • I have noticed this bug in persistent live systems too (in an attempt to create a second user with encrypted home).

    – sudodus
    Jul 6 '17 at 4:31



















  • Could you please include the output of grep -Fe ecryptfs /var/log/auth.log from around the time the user logged out?

    – David Foerster
    Apr 30 '17 at 14:25













  • The command yields this output: pastebin.com/jZXdahbJ According to Emacs, the only lines which contain the string "ecryptfs" are the lines which were produced when I ran that command.

    – UTF-8
    Apr 30 '17 at 14:37











  • The result is as expected just the lines which Emacs already showed me: pastebin.com/VtV7iCDg

    – UTF-8
    Apr 30 '17 at 14:44











  • Ok. It was worth a look.

    – David Foerster
    Apr 30 '17 at 14:55











  • I have noticed this bug in persistent live systems too (in an attempt to create a second user with encrypted home).

    – sudodus
    Jul 6 '17 at 4:31

















Could you please include the output of grep -Fe ecryptfs /var/log/auth.log from around the time the user logged out?

– David Foerster
Apr 30 '17 at 14:25







Could you please include the output of grep -Fe ecryptfs /var/log/auth.log from around the time the user logged out?

– David Foerster
Apr 30 '17 at 14:25















The command yields this output: pastebin.com/jZXdahbJ According to Emacs, the only lines which contain the string "ecryptfs" are the lines which were produced when I ran that command.

– UTF-8
Apr 30 '17 at 14:37





The command yields this output: pastebin.com/jZXdahbJ According to Emacs, the only lines which contain the string "ecryptfs" are the lines which were produced when I ran that command.

– UTF-8
Apr 30 '17 at 14:37













The result is as expected just the lines which Emacs already showed me: pastebin.com/VtV7iCDg

– UTF-8
Apr 30 '17 at 14:44





The result is as expected just the lines which Emacs already showed me: pastebin.com/VtV7iCDg

– UTF-8
Apr 30 '17 at 14:44













Ok. It was worth a look.

– David Foerster
Apr 30 '17 at 14:55





Ok. It was worth a look.

– David Foerster
Apr 30 '17 at 14:55













I have noticed this bug in persistent live systems too (in an attempt to create a second user with encrypted home).

– sudodus
Jul 6 '17 at 4:31





I have noticed this bug in persistent live systems too (in an attempt to create a second user with encrypted home).

– sudodus
Jul 6 '17 at 4:31










5 Answers
5






active

oldest

votes


















4





+50









Known bug



If I understand correctly, this is a known bug.



See this link: wiki.archlinux.org/index.php/ECryptfs



Scroll down to the pink paragraph




Warning: Unfortunately the automatic unmounting is susceptible to break with systemd and bugs are filed against it ...




Work-around



As it is now, you had better shut down or reboot in order to remove the traces (It is not enough to log out).






share|improve this answer


























  • What do you mean by "logout will leak the information between the users"? Do you mean that anything happens, other than that a different user with sufficient privileges can access the plain text data in the first user's home directory? (This is already possible before the logout, of course.)

    – UTF-8
    Jul 9 '17 at 13:55






  • 1





    Trying to explain better: 'It is not enough to log out'. (Logout does not remove the clear-text instances of the files, that have been used by the user with encrypted home. So information can leak from this user to another user, who logs in, at least if this other user has sudo privileges. But if you shut down or reboot, the clear-text instances of the files disappear.

    – sudodus
    Jul 9 '17 at 15:04





















2














I can't test or confirm this, but assuming that you are using ecryptfs (which is what Ubuntu offers during install, IIRC), the encrypted data is stored in a hidden folder /home/.encryptfs/$USER and mounted to your actual home folder's location using the ecryptfs driver when you log in.



Most likely, then, what is happening is that when you log out, it fails to automatically unmount that directory, so the files are still accessible. This could be caused by...




  • a bad config (perhaps it was supposed to be configured to unmount on logout but wasn't)

  • unexpected logout type (sometimes these solutions work for the DM login/out but don't work well otherwise)

  • if the unmounting is handled by a logout script (not necessarily the case), something preceding the unmount command could fail and cause the script to exit early.


One thing that can help you check this would be to run sudo mount | grep home before login, after login, and after logout to see if anything involving home is being mounted. You could also look in /etc/fstab for relevant entries. Finally, there is some config in /home/.ecryptfs/$USER/.ecryptfs/ with pertinent settings to automounting/unmounting.



Useful information about ecryptfs can be found in this answer and in the ever-helpful ArchWiki.






share|improve this answer
























  • I tried what you told me: pastebin.com/DrmEXQPV I don't log out in any weird way but in the standard GUI way. The FS is still mounted, as you can see. The config files you mentioned are empty. There is nothing in my /etc/fstab except 1 entry saying that my only data partition should be mounted to / and 1 entry which is about some university-related network resource. Should I try logging out in any different way? If so: How?

    – UTF-8
    Jul 3 '17 at 21:09











  • The logging out in a different way comment was a bit of a guess--desktop managers add a lot on top of logging in and logging out that complicates the notion and makes it hard to tell which events are triggered. I was wondering because there may have been some script or event that wasn't being run. Based on the other answers, it's not that kind of problem, but something to do with ecryptfs itself. On that note, though, do you use ssh or log in via the text terminals? It may be possible to write a script that will take care of unmounting on logout if we find where to put it.

    – krs013
    Jul 6 '17 at 18:21



















2














Edit /etc/systemd/logind.conf and set KillUserProcesses=yes



Note that this breaks background programs, screen, tmux, and similar...



This question here goes into it in more detail. I find defining a new systemd service unnecessary (or more accurately, not the desired behavior, as it's invoked as a shutdown hook, not when the user session terminates).



https://unix.stackexchange.com/questions/251902/ecryptfs-auto-umount-does-not-work






share|improve this answer


























  • I will check if your method works for a persistent live system with a second user, which has encrypted home.

    – sudodus
    Jul 6 '17 at 4:33











  • Sorry, but I could not make this method work in a persistent live system with a second user, which has encrypted home. (I have not tested your solution in an installed system, I will leave that to @UTF-8 who asked the original question.)

    – sudodus
    Jul 6 '17 at 11:23













  • I'm not interested in fixing this on my own computer. I'm the only one who uses it anyways but want to use 2 accounts with encrypted home folders and no one else knows the password to either account. I'm interested in why it doesn't unmount the encrypted volumes automatically by default. Couldn't it just check for active background processes running in the user's context and unmount it if there aren't any?

    – UTF-8
    Jul 6 '17 at 12:49











  • @UTF-8, I agree with you, that it should work like you want it to work. If I understand correctly, this is a known bug. See this link , wiki.archlinux.org/index.php/ECryptfs . Scroll down to the pink paragraph 'Warning: Unfortunately the automatic unmounting is susceptible to break with systemd and bugs are filed'. -- As it is now, you had better shut down or reboot in order to remove the traces (logout will leak the information between the users.)

    – sudodus
    Jul 6 '17 at 14:48













  • @UTF-8 it's a bug in systemd/session interaction since at least wheezy (I'm perfectly comfortable just hanging it on systemd) - the /etc/systemd/logind.conf change works for me on 16.04 (tested with three different users, different sessions, etc...)

    – quadruplebucky
    Jul 6 '17 at 18:55



















1














I have been researching this issue for quite some time, i.e., unecrypted file system remains mounted after user logout.



I used "ecryptfs-migrate-home -u user" to create mount. followed directions and all works except no auto-unmount at logout.



I compared the config files in /etc/pam.d/ to pam_ecryptfs documentation and found the some differences. ecryptfs was in 4 of the pam.d config files whereas the pam_ecryptfs docs indicate just 2 files need/should/support ecryptfs, e.g., 




   /etc/pam.d/common-auth:

              auth    required        pam_ecryptfs.so unwrap

   /etc/pam.d/common-session:

              session optional        pam_ecryptfs.so unwrap



So, I commented out the other 2 instances, rebooted, and it all worked, auto-mounts at login and auto-unmounts on logout for both graphical and console logins. (I used alternate tty's to verify from root account)



This is on 18.04 Lubuntu on laptop, desktop and virtualbox guest (windows host).



I am interested in others experience.



edit_1: improved wording. edit_2: added desktop and VB test results.






share|improve this answer


























  • Did disabling / commenting out any of those lines cause any problems? Does changing your password still re-wrap the eCryptfs keyfile?

    – Xen2050
    Oct 2 '18 at 7:13











  • This worked for me on Linux Mint 19. To add some more detail for others: the four config files in /etc/pam.d that refer to ecryptfs are: common-auth, common-password, common-session, common-session-noninteractive. Commenting out the lines in common-password and common-session-noninteractive led to the desired behavior of unmounting on log out. Also, the entry in common-auth was set to "optional" instead of "required" as it is supposed to be according to the documentation. However, I left this as is.

    – evencoil
    Oct 14 '18 at 19:45











  • @Xen2050, sorry for late response. I did not detect any problems after changes commenting out lines and I have not tried changing password as yet.

    – redrock
    Jan 3 at 21:47











  • The changing password might be important to test, it should re-wrap the encryption key with your new password automatically, so logging in the next time works. If it doesn't work, then just changing the password back to the previous one should work... [it's always good to have a backup though]

    – Xen2050
    Jan 4 at 4:00






  • 1





    @Xen2050, I did the test of changing password. it worked.

    – redrock
    Jan 4 at 8:16



















1














I do it with a script in rclocal



#!/bin/sh

#



while true; do

    if [ ! -d /run/user/1000 ]; then

        if [ -f /home/momo/.mounted ]; then

            umount /home/harry

        fi      

    fi



    if [ ! -d /run/user/1001 ]; then

        if [ -f /home/vm/.mounted ]; then

            umount /home/maud

        fi

    fi



    sleep 10

done

exit 0





share|improve this answer

























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "89"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f910484%2fencrypted-home-folder-still-accessible-after-logout%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    5 Answers
    5






    active

    oldest

    votes








    5 Answers
    5






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    4





    +50









    Known bug



    If I understand correctly, this is a known bug.



    See this link: wiki.archlinux.org/index.php/ECryptfs



    Scroll down to the pink paragraph




    Warning: Unfortunately the automatic unmounting is susceptible to break with systemd and bugs are filed against it ...




    Work-around



    As it is now, you had better shut down or reboot in order to remove the traces (It is not enough to log out).






    share|improve this answer


























    • What do you mean by "logout will leak the information between the users"? Do you mean that anything happens, other than that a different user with sufficient privileges can access the plain text data in the first user's home directory? (This is already possible before the logout, of course.)

      – UTF-8
      Jul 9 '17 at 13:55






    • 1





      Trying to explain better: 'It is not enough to log out'. (Logout does not remove the clear-text instances of the files, that have been used by the user with encrypted home. So information can leak from this user to another user, who logs in, at least if this other user has sudo privileges. But if you shut down or reboot, the clear-text instances of the files disappear.

      – sudodus
      Jul 9 '17 at 15:04


















    4





    +50









    Known bug



    If I understand correctly, this is a known bug.



    See this link: wiki.archlinux.org/index.php/ECryptfs



    Scroll down to the pink paragraph




    Warning: Unfortunately the automatic unmounting is susceptible to break with systemd and bugs are filed against it ...




    Work-around



    As it is now, you had better shut down or reboot in order to remove the traces (It is not enough to log out).






    share|improve this answer


























    • What do you mean by "logout will leak the information between the users"? Do you mean that anything happens, other than that a different user with sufficient privileges can access the plain text data in the first user's home directory? (This is already possible before the logout, of course.)

      – UTF-8
      Jul 9 '17 at 13:55






    • 1





      Trying to explain better: 'It is not enough to log out'. (Logout does not remove the clear-text instances of the files, that have been used by the user with encrypted home. So information can leak from this user to another user, who logs in, at least if this other user has sudo privileges. But if you shut down or reboot, the clear-text instances of the files disappear.

      – sudodus
      Jul 9 '17 at 15:04
















    4





    +50







    4





    +50



    4




    +50





    Known bug



    If I understand correctly, this is a known bug.



    See this link: wiki.archlinux.org/index.php/ECryptfs



    Scroll down to the pink paragraph




    Warning: Unfortunately the automatic unmounting is susceptible to break with systemd and bugs are filed against it ...




    Work-around



    As it is now, you had better shut down or reboot in order to remove the traces (It is not enough to log out).






    share|improve this answer















    Known bug



    If I understand correctly, this is a known bug.



    See this link: wiki.archlinux.org/index.php/ECryptfs



    Scroll down to the pink paragraph




    Warning: Unfortunately the automatic unmounting is susceptible to break with systemd and bugs are filed against it ...




    Work-around



    As it is now, you had better shut down or reboot in order to remove the traces (It is not enough to log out).







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Jul 9 '17 at 15:07

























    answered Jul 6 '17 at 15:14









    sudodussudodus

    23.2k32874




    23.2k32874













    • What do you mean by "logout will leak the information between the users"? Do you mean that anything happens, other than that a different user with sufficient privileges can access the plain text data in the first user's home directory? (This is already possible before the logout, of course.)

      – UTF-8
      Jul 9 '17 at 13:55






    • 1





      Trying to explain better: 'It is not enough to log out'. (Logout does not remove the clear-text instances of the files, that have been used by the user with encrypted home. So information can leak from this user to another user, who logs in, at least if this other user has sudo privileges. But if you shut down or reboot, the clear-text instances of the files disappear.

      – sudodus
      Jul 9 '17 at 15:04





















    • What do you mean by "logout will leak the information between the users"? Do you mean that anything happens, other than that a different user with sufficient privileges can access the plain text data in the first user's home directory? (This is already possible before the logout, of course.)

      – UTF-8
      Jul 9 '17 at 13:55






    • 1





      Trying to explain better: 'It is not enough to log out'. (Logout does not remove the clear-text instances of the files, that have been used by the user with encrypted home. So information can leak from this user to another user, who logs in, at least if this other user has sudo privileges. But if you shut down or reboot, the clear-text instances of the files disappear.

      – sudodus
      Jul 9 '17 at 15:04



















    What do you mean by "logout will leak the information between the users"? Do you mean that anything happens, other than that a different user with sufficient privileges can access the plain text data in the first user's home directory? (This is already possible before the logout, of course.)

    – UTF-8
    Jul 9 '17 at 13:55





    What do you mean by "logout will leak the information between the users"? Do you mean that anything happens, other than that a different user with sufficient privileges can access the plain text data in the first user's home directory? (This is already possible before the logout, of course.)

    – UTF-8
    Jul 9 '17 at 13:55




    1




    1





    Trying to explain better: 'It is not enough to log out'. (Logout does not remove the clear-text instances of the files, that have been used by the user with encrypted home. So information can leak from this user to another user, who logs in, at least if this other user has sudo privileges. But if you shut down or reboot, the clear-text instances of the files disappear.

    – sudodus
    Jul 9 '17 at 15:04







    Trying to explain better: 'It is not enough to log out'. (Logout does not remove the clear-text instances of the files, that have been used by the user with encrypted home. So information can leak from this user to another user, who logs in, at least if this other user has sudo privileges. But if you shut down or reboot, the clear-text instances of the files disappear.

    – sudodus
    Jul 9 '17 at 15:04















    2














    I can't test or confirm this, but assuming that you are using ecryptfs (which is what Ubuntu offers during install, IIRC), the encrypted data is stored in a hidden folder /home/.encryptfs/$USER and mounted to your actual home folder's location using the ecryptfs driver when you log in.



    Most likely, then, what is happening is that when you log out, it fails to automatically unmount that directory, so the files are still accessible. This could be caused by...




    • a bad config (perhaps it was supposed to be configured to unmount on logout but wasn't)

    • unexpected logout type (sometimes these solutions work for the DM login/out but don't work well otherwise)

    • if the unmounting is handled by a logout script (not necessarily the case), something preceding the unmount command could fail and cause the script to exit early.


    One thing that can help you check this would be to run sudo mount | grep home before login, after login, and after logout to see if anything involving home is being mounted. You could also look in /etc/fstab for relevant entries. Finally, there is some config in /home/.ecryptfs/$USER/.ecryptfs/ with pertinent settings to automounting/unmounting.



    Useful information about ecryptfs can be found in this answer and in the ever-helpful ArchWiki.






    share|improve this answer
























    • I tried what you told me: pastebin.com/DrmEXQPV I don't log out in any weird way but in the standard GUI way. The FS is still mounted, as you can see. The config files you mentioned are empty. There is nothing in my /etc/fstab except 1 entry saying that my only data partition should be mounted to / and 1 entry which is about some university-related network resource. Should I try logging out in any different way? If so: How?

      – UTF-8
      Jul 3 '17 at 21:09











    • The logging out in a different way comment was a bit of a guess--desktop managers add a lot on top of logging in and logging out that complicates the notion and makes it hard to tell which events are triggered. I was wondering because there may have been some script or event that wasn't being run. Based on the other answers, it's not that kind of problem, but something to do with ecryptfs itself. On that note, though, do you use ssh or log in via the text terminals? It may be possible to write a script that will take care of unmounting on logout if we find where to put it.

      – krs013
      Jul 6 '17 at 18:21
















    2














    I can't test or confirm this, but assuming that you are using ecryptfs (which is what Ubuntu offers during install, IIRC), the encrypted data is stored in a hidden folder /home/.encryptfs/$USER and mounted to your actual home folder's location using the ecryptfs driver when you log in.



    Most likely, then, what is happening is that when you log out, it fails to automatically unmount that directory, so the files are still accessible. This could be caused by...




    • a bad config (perhaps it was supposed to be configured to unmount on logout but wasn't)

    • unexpected logout type (sometimes these solutions work for the DM login/out but don't work well otherwise)

    • if the unmounting is handled by a logout script (not necessarily the case), something preceding the unmount command could fail and cause the script to exit early.


    One thing that can help you check this would be to run sudo mount | grep home before login, after login, and after logout to see if anything involving home is being mounted. You could also look in /etc/fstab for relevant entries. Finally, there is some config in /home/.ecryptfs/$USER/.ecryptfs/ with pertinent settings to automounting/unmounting.



    Useful information about ecryptfs can be found in this answer and in the ever-helpful ArchWiki.






    share|improve this answer
























    • I tried what you told me: pastebin.com/DrmEXQPV I don't log out in any weird way but in the standard GUI way. The FS is still mounted, as you can see. The config files you mentioned are empty. There is nothing in my /etc/fstab except 1 entry saying that my only data partition should be mounted to / and 1 entry which is about some university-related network resource. Should I try logging out in any different way? If so: How?

      – UTF-8
      Jul 3 '17 at 21:09











    • The logging out in a different way comment was a bit of a guess--desktop managers add a lot on top of logging in and logging out that complicates the notion and makes it hard to tell which events are triggered. I was wondering because there may have been some script or event that wasn't being run. Based on the other answers, it's not that kind of problem, but something to do with ecryptfs itself. On that note, though, do you use ssh or log in via the text terminals? It may be possible to write a script that will take care of unmounting on logout if we find where to put it.

      – krs013
      Jul 6 '17 at 18:21














    2












    2








    2







    I can't test or confirm this, but assuming that you are using ecryptfs (which is what Ubuntu offers during install, IIRC), the encrypted data is stored in a hidden folder /home/.encryptfs/$USER and mounted to your actual home folder's location using the ecryptfs driver when you log in.



    Most likely, then, what is happening is that when you log out, it fails to automatically unmount that directory, so the files are still accessible. This could be caused by...




    • a bad config (perhaps it was supposed to be configured to unmount on logout but wasn't)

    • unexpected logout type (sometimes these solutions work for the DM login/out but don't work well otherwise)

    • if the unmounting is handled by a logout script (not necessarily the case), something preceding the unmount command could fail and cause the script to exit early.


    One thing that can help you check this would be to run sudo mount | grep home before login, after login, and after logout to see if anything involving home is being mounted. You could also look in /etc/fstab for relevant entries. Finally, there is some config in /home/.ecryptfs/$USER/.ecryptfs/ with pertinent settings to automounting/unmounting.



    Useful information about ecryptfs can be found in this answer and in the ever-helpful ArchWiki.






    share|improve this answer













    I can't test or confirm this, but assuming that you are using ecryptfs (which is what Ubuntu offers during install, IIRC), the encrypted data is stored in a hidden folder /home/.encryptfs/$USER and mounted to your actual home folder's location using the ecryptfs driver when you log in.



    Most likely, then, what is happening is that when you log out, it fails to automatically unmount that directory, so the files are still accessible. This could be caused by...




    • a bad config (perhaps it was supposed to be configured to unmount on logout but wasn't)

    • unexpected logout type (sometimes these solutions work for the DM login/out but don't work well otherwise)

    • if the unmounting is handled by a logout script (not necessarily the case), something preceding the unmount command could fail and cause the script to exit early.


    One thing that can help you check this would be to run sudo mount | grep home before login, after login, and after logout to see if anything involving home is being mounted. You could also look in /etc/fstab for relevant entries. Finally, there is some config in /home/.ecryptfs/$USER/.ecryptfs/ with pertinent settings to automounting/unmounting.



    Useful information about ecryptfs can be found in this answer and in the ever-helpful ArchWiki.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Jul 2 '17 at 18:55









    krs013krs013

    1214




    1214













    • I tried what you told me: pastebin.com/DrmEXQPV I don't log out in any weird way but in the standard GUI way. The FS is still mounted, as you can see. The config files you mentioned are empty. There is nothing in my /etc/fstab except 1 entry saying that my only data partition should be mounted to / and 1 entry which is about some university-related network resource. Should I try logging out in any different way? If so: How?

      – UTF-8
      Jul 3 '17 at 21:09











    • The logging out in a different way comment was a bit of a guess--desktop managers add a lot on top of logging in and logging out that complicates the notion and makes it hard to tell which events are triggered. I was wondering because there may have been some script or event that wasn't being run. Based on the other answers, it's not that kind of problem, but something to do with ecryptfs itself. On that note, though, do you use ssh or log in via the text terminals? It may be possible to write a script that will take care of unmounting on logout if we find where to put it.

      – krs013
      Jul 6 '17 at 18:21



















    • I tried what you told me: pastebin.com/DrmEXQPV I don't log out in any weird way but in the standard GUI way. The FS is still mounted, as you can see. The config files you mentioned are empty. There is nothing in my /etc/fstab except 1 entry saying that my only data partition should be mounted to / and 1 entry which is about some university-related network resource. Should I try logging out in any different way? If so: How?

      – UTF-8
      Jul 3 '17 at 21:09











    • The logging out in a different way comment was a bit of a guess--desktop managers add a lot on top of logging in and logging out that complicates the notion and makes it hard to tell which events are triggered. I was wondering because there may have been some script or event that wasn't being run. Based on the other answers, it's not that kind of problem, but something to do with ecryptfs itself. On that note, though, do you use ssh or log in via the text terminals? It may be possible to write a script that will take care of unmounting on logout if we find where to put it.

      – krs013
      Jul 6 '17 at 18:21

















    I tried what you told me: pastebin.com/DrmEXQPV I don't log out in any weird way but in the standard GUI way. The FS is still mounted, as you can see. The config files you mentioned are empty. There is nothing in my /etc/fstab except 1 entry saying that my only data partition should be mounted to / and 1 entry which is about some university-related network resource. Should I try logging out in any different way? If so: How?

    – UTF-8
    Jul 3 '17 at 21:09





    I tried what you told me: pastebin.com/DrmEXQPV I don't log out in any weird way but in the standard GUI way. The FS is still mounted, as you can see. The config files you mentioned are empty. There is nothing in my /etc/fstab except 1 entry saying that my only data partition should be mounted to / and 1 entry which is about some university-related network resource. Should I try logging out in any different way? If so: How?

    – UTF-8
    Jul 3 '17 at 21:09













    The logging out in a different way comment was a bit of a guess--desktop managers add a lot on top of logging in and logging out that complicates the notion and makes it hard to tell which events are triggered. I was wondering because there may have been some script or event that wasn't being run. Based on the other answers, it's not that kind of problem, but something to do with ecryptfs itself. On that note, though, do you use ssh or log in via the text terminals? It may be possible to write a script that will take care of unmounting on logout if we find where to put it.

    – krs013
    Jul 6 '17 at 18:21





    The logging out in a different way comment was a bit of a guess--desktop managers add a lot on top of logging in and logging out that complicates the notion and makes it hard to tell which events are triggered. I was wondering because there may have been some script or event that wasn't being run. Based on the other answers, it's not that kind of problem, but something to do with ecryptfs itself. On that note, though, do you use ssh or log in via the text terminals? It may be possible to write a script that will take care of unmounting on logout if we find where to put it.

    – krs013
    Jul 6 '17 at 18:21











    2














    Edit /etc/systemd/logind.conf and set KillUserProcesses=yes



    Note that this breaks background programs, screen, tmux, and similar...



    This question here goes into it in more detail. I find defining a new systemd service unnecessary (or more accurately, not the desired behavior, as it's invoked as a shutdown hook, not when the user session terminates).



    https://unix.stackexchange.com/questions/251902/ecryptfs-auto-umount-does-not-work






    share|improve this answer


























    • I will check if your method works for a persistent live system with a second user, which has encrypted home.

      – sudodus
      Jul 6 '17 at 4:33











    • Sorry, but I could not make this method work in a persistent live system with a second user, which has encrypted home. (I have not tested your solution in an installed system, I will leave that to @UTF-8 who asked the original question.)

      – sudodus
      Jul 6 '17 at 11:23













    • I'm not interested in fixing this on my own computer. I'm the only one who uses it anyways but want to use 2 accounts with encrypted home folders and no one else knows the password to either account. I'm interested in why it doesn't unmount the encrypted volumes automatically by default. Couldn't it just check for active background processes running in the user's context and unmount it if there aren't any?

      – UTF-8
      Jul 6 '17 at 12:49











    • @UTF-8, I agree with you, that it should work like you want it to work. If I understand correctly, this is a known bug. See this link , wiki.archlinux.org/index.php/ECryptfs . Scroll down to the pink paragraph 'Warning: Unfortunately the automatic unmounting is susceptible to break with systemd and bugs are filed'. -- As it is now, you had better shut down or reboot in order to remove the traces (logout will leak the information between the users.)

      – sudodus
      Jul 6 '17 at 14:48













    • @UTF-8 it's a bug in systemd/session interaction since at least wheezy (I'm perfectly comfortable just hanging it on systemd) - the /etc/systemd/logind.conf change works for me on 16.04 (tested with three different users, different sessions, etc...)

      – quadruplebucky
      Jul 6 '17 at 18:55
















    2














    Edit /etc/systemd/logind.conf and set KillUserProcesses=yes



    Note that this breaks background programs, screen, tmux, and similar...



    This question here goes into it in more detail. I find defining a new systemd service unnecessary (or more accurately, not the desired behavior, as it's invoked as a shutdown hook, not when the user session terminates).



    https://unix.stackexchange.com/questions/251902/ecryptfs-auto-umount-does-not-work






    share|improve this answer


























    • I will check if your method works for a persistent live system with a second user, which has encrypted home.

      – sudodus
      Jul 6 '17 at 4:33











    • Sorry, but I could not make this method work in a persistent live system with a second user, which has encrypted home. (I have not tested your solution in an installed system, I will leave that to @UTF-8 who asked the original question.)

      – sudodus
      Jul 6 '17 at 11:23













    • I'm not interested in fixing this on my own computer. I'm the only one who uses it anyways but want to use 2 accounts with encrypted home folders and no one else knows the password to either account. I'm interested in why it doesn't unmount the encrypted volumes automatically by default. Couldn't it just check for active background processes running in the user's context and unmount it if there aren't any?

      – UTF-8
      Jul 6 '17 at 12:49











    • @UTF-8, I agree with you, that it should work like you want it to work. If I understand correctly, this is a known bug. See this link , wiki.archlinux.org/index.php/ECryptfs . Scroll down to the pink paragraph 'Warning: Unfortunately the automatic unmounting is susceptible to break with systemd and bugs are filed'. -- As it is now, you had better shut down or reboot in order to remove the traces (logout will leak the information between the users.)

      – sudodus
      Jul 6 '17 at 14:48













    • @UTF-8 it's a bug in systemd/session interaction since at least wheezy (I'm perfectly comfortable just hanging it on systemd) - the /etc/systemd/logind.conf change works for me on 16.04 (tested with three different users, different sessions, etc...)

      – quadruplebucky
      Jul 6 '17 at 18:55














    2












    2








    2







    Edit /etc/systemd/logind.conf and set KillUserProcesses=yes



    Note that this breaks background programs, screen, tmux, and similar...



    This question here goes into it in more detail. I find defining a new systemd service unnecessary (or more accurately, not the desired behavior, as it's invoked as a shutdown hook, not when the user session terminates).



    https://unix.stackexchange.com/questions/251902/ecryptfs-auto-umount-does-not-work






    share|improve this answer















    Edit /etc/systemd/logind.conf and set KillUserProcesses=yes



    Note that this breaks background programs, screen, tmux, and similar...



    This question here goes into it in more detail. I find defining a new systemd service unnecessary (or more accurately, not the desired behavior, as it's invoked as a shutdown hook, not when the user session terminates).



    https://unix.stackexchange.com/questions/251902/ecryptfs-auto-umount-does-not-work







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Jul 6 '17 at 20:23

























    answered Jul 6 '17 at 3:47









    quadruplebuckyquadruplebucky

    1213




    1213













    • I will check if your method works for a persistent live system with a second user, which has encrypted home.

      – sudodus
      Jul 6 '17 at 4:33











    • Sorry, but I could not make this method work in a persistent live system with a second user, which has encrypted home. (I have not tested your solution in an installed system, I will leave that to @UTF-8 who asked the original question.)

      – sudodus
      Jul 6 '17 at 11:23













    • I'm not interested in fixing this on my own computer. I'm the only one who uses it anyways but want to use 2 accounts with encrypted home folders and no one else knows the password to either account. I'm interested in why it doesn't unmount the encrypted volumes automatically by default. Couldn't it just check for active background processes running in the user's context and unmount it if there aren't any?

      – UTF-8
      Jul 6 '17 at 12:49











    • @UTF-8, I agree with you, that it should work like you want it to work. If I understand correctly, this is a known bug. See this link , wiki.archlinux.org/index.php/ECryptfs . Scroll down to the pink paragraph 'Warning: Unfortunately the automatic unmounting is susceptible to break with systemd and bugs are filed'. -- As it is now, you had better shut down or reboot in order to remove the traces (logout will leak the information between the users.)

      – sudodus
      Jul 6 '17 at 14:48













    • @UTF-8 it's a bug in systemd/session interaction since at least wheezy (I'm perfectly comfortable just hanging it on systemd) - the /etc/systemd/logind.conf change works for me on 16.04 (tested with three different users, different sessions, etc...)

      – quadruplebucky
      Jul 6 '17 at 18:55



















    • I will check if your method works for a persistent live system with a second user, which has encrypted home.

      – sudodus
      Jul 6 '17 at 4:33











    • Sorry, but I could not make this method work in a persistent live system with a second user, which has encrypted home. (I have not tested your solution in an installed system, I will leave that to @UTF-8 who asked the original question.)

      – sudodus
      Jul 6 '17 at 11:23













    • I'm not interested in fixing this on my own computer. I'm the only one who uses it anyways but want to use 2 accounts with encrypted home folders and no one else knows the password to either account. I'm interested in why it doesn't unmount the encrypted volumes automatically by default. Couldn't it just check for active background processes running in the user's context and unmount it if there aren't any?

      – UTF-8
      Jul 6 '17 at 12:49











    • @UTF-8, I agree with you, that it should work like you want it to work. If I understand correctly, this is a known bug. See this link , wiki.archlinux.org/index.php/ECryptfs . Scroll down to the pink paragraph 'Warning: Unfortunately the automatic unmounting is susceptible to break with systemd and bugs are filed'. -- As it is now, you had better shut down or reboot in order to remove the traces (logout will leak the information between the users.)

      – sudodus
      Jul 6 '17 at 14:48













    • @UTF-8 it's a bug in systemd/session interaction since at least wheezy (I'm perfectly comfortable just hanging it on systemd) - the /etc/systemd/logind.conf change works for me on 16.04 (tested with three different users, different sessions, etc...)

      – quadruplebucky
      Jul 6 '17 at 18:55

















    I will check if your method works for a persistent live system with a second user, which has encrypted home.

    – sudodus
    Jul 6 '17 at 4:33





    I will check if your method works for a persistent live system with a second user, which has encrypted home.

    – sudodus
    Jul 6 '17 at 4:33













    Sorry, but I could not make this method work in a persistent live system with a second user, which has encrypted home. (I have not tested your solution in an installed system, I will leave that to @UTF-8 who asked the original question.)

    – sudodus
    Jul 6 '17 at 11:23







    Sorry, but I could not make this method work in a persistent live system with a second user, which has encrypted home. (I have not tested your solution in an installed system, I will leave that to @UTF-8 who asked the original question.)

    – sudodus
    Jul 6 '17 at 11:23















    I'm not interested in fixing this on my own computer. I'm the only one who uses it anyways but want to use 2 accounts with encrypted home folders and no one else knows the password to either account. I'm interested in why it doesn't unmount the encrypted volumes automatically by default. Couldn't it just check for active background processes running in the user's context and unmount it if there aren't any?

    – UTF-8
    Jul 6 '17 at 12:49





    I'm not interested in fixing this on my own computer. I'm the only one who uses it anyways but want to use 2 accounts with encrypted home folders and no one else knows the password to either account. I'm interested in why it doesn't unmount the encrypted volumes automatically by default. Couldn't it just check for active background processes running in the user's context and unmount it if there aren't any?

    – UTF-8
    Jul 6 '17 at 12:49













    @UTF-8, I agree with you, that it should work like you want it to work. If I understand correctly, this is a known bug. See this link , wiki.archlinux.org/index.php/ECryptfs . Scroll down to the pink paragraph 'Warning: Unfortunately the automatic unmounting is susceptible to break with systemd and bugs are filed'. -- As it is now, you had better shut down or reboot in order to remove the traces (logout will leak the information between the users.)

    – sudodus
    Jul 6 '17 at 14:48







    @UTF-8, I agree with you, that it should work like you want it to work. If I understand correctly, this is a known bug. See this link , wiki.archlinux.org/index.php/ECryptfs . Scroll down to the pink paragraph 'Warning: Unfortunately the automatic unmounting is susceptible to break with systemd and bugs are filed'. -- As it is now, you had better shut down or reboot in order to remove the traces (logout will leak the information between the users.)

    – sudodus
    Jul 6 '17 at 14:48















    @UTF-8 it's a bug in systemd/session interaction since at least wheezy (I'm perfectly comfortable just hanging it on systemd) - the /etc/systemd/logind.conf change works for me on 16.04 (tested with three different users, different sessions, etc...)

    – quadruplebucky
    Jul 6 '17 at 18:55





    @UTF-8 it's a bug in systemd/session interaction since at least wheezy (I'm perfectly comfortable just hanging it on systemd) - the /etc/systemd/logind.conf change works for me on 16.04 (tested with three different users, different sessions, etc...)

    – quadruplebucky
    Jul 6 '17 at 18:55











    1














    I have been researching this issue for quite some time, i.e., unecrypted file system remains mounted after user logout.



    I used "ecryptfs-migrate-home -u user" to create mount. followed directions and all works except no auto-unmount at logout.



    I compared the config files in /etc/pam.d/ to pam_ecryptfs documentation and found the some differences. ecryptfs was in 4 of the pam.d config files whereas the pam_ecryptfs docs indicate just 2 files need/should/support ecryptfs, e.g., 




       /etc/pam.d/common-auth:
    
              auth    required        pam_ecryptfs.so unwrap
    
   /etc/pam.d/common-session:
    
              session optional        pam_ecryptfs.so unwrap



    So, I commented out the other 2 instances, rebooted, and it all worked, auto-mounts at login and auto-unmounts on logout for both graphical and console logins. (I used alternate tty's to verify from root account)



    This is on 18.04 Lubuntu on laptop, desktop and virtualbox guest (windows host).



    I am interested in others experience.



    edit_1: improved wording. edit_2: added desktop and VB test results.






    share|improve this answer


























    • Did disabling / commenting out any of those lines cause any problems? Does changing your password still re-wrap the eCryptfs keyfile?

      – Xen2050
      Oct 2 '18 at 7:13











    • This worked for me on Linux Mint 19. To add some more detail for others: the four config files in /etc/pam.d that refer to ecryptfs are: common-auth, common-password, common-session, common-session-noninteractive. Commenting out the lines in common-password and common-session-noninteractive led to the desired behavior of unmounting on log out. Also, the entry in common-auth was set to "optional" instead of "required" as it is supposed to be according to the documentation. However, I left this as is.

      – evencoil
      Oct 14 '18 at 19:45











    • @Xen2050, sorry for late response. I did not detect any problems after changes commenting out lines and I have not tried changing password as yet.

      – redrock
      Jan 3 at 21:47











    • The changing password might be important to test, it should re-wrap the encryption key with your new password automatically, so logging in the next time works. If it doesn't work, then just changing the password back to the previous one should work... [it's always good to have a backup though]

      – Xen2050
      Jan 4 at 4:00






    • 1





      @Xen2050, I did the test of changing password. it worked.

      – redrock
      Jan 4 at 8:16
















    1














    I have been researching this issue for quite some time, i.e., unecrypted file system remains mounted after user logout.



    I used "ecryptfs-migrate-home -u user" to create mount. followed directions and all works except no auto-unmount at logout.



    I compared the config files in /etc/pam.d/ to pam_ecryptfs documentation and found the some differences. ecryptfs was in 4 of the pam.d config files whereas the pam_ecryptfs docs indicate just 2 files need/should/support ecryptfs, e.g., 




       /etc/pam.d/common-auth:
    
              auth    required        pam_ecryptfs.so unwrap
    
   /etc/pam.d/common-session:
    
              session optional        pam_ecryptfs.so unwrap



    So, I commented out the other 2 instances, rebooted, and it all worked, auto-mounts at login and auto-unmounts on logout for both graphical and console logins. (I used alternate tty's to verify from root account)



    This is on 18.04 Lubuntu on laptop, desktop and virtualbox guest (windows host).



    I am interested in others experience.



    edit_1: improved wording. edit_2: added desktop and VB test results.






    share|improve this answer


























    • Did disabling / commenting out any of those lines cause any problems? Does changing your password still re-wrap the eCryptfs keyfile?

      – Xen2050
      Oct 2 '18 at 7:13











    • This worked for me on Linux Mint 19. To add some more detail for others: the four config files in /etc/pam.d that refer to ecryptfs are: common-auth, common-password, common-session, common-session-noninteractive. Commenting out the lines in common-password and common-session-noninteractive led to the desired behavior of unmounting on log out. Also, the entry in common-auth was set to "optional" instead of "required" as it is supposed to be according to the documentation. However, I left this as is.

      – evencoil
      Oct 14 '18 at 19:45











    • @Xen2050, sorry for late response. I did not detect any problems after changes commenting out lines and I have not tried changing password as yet.

      – redrock
      Jan 3 at 21:47











    • The changing password might be important to test, it should re-wrap the encryption key with your new password automatically, so logging in the next time works. If it doesn't work, then just changing the password back to the previous one should work... [it's always good to have a backup though]

      – Xen2050
      Jan 4 at 4:00






    • 1





      @Xen2050, I did the test of changing password. it worked.

      – redrock
      Jan 4 at 8:16














    1












    1








    1







    I have been researching this issue for quite some time, i.e., unecrypted file system remains mounted after user logout.



    I used "ecryptfs-migrate-home -u user" to create mount. followed directions and all works except no auto-unmount at logout.



    I compared the config files in /etc/pam.d/ to pam_ecryptfs documentation and found the some differences. ecryptfs was in 4 of the pam.d config files whereas the pam_ecryptfs docs indicate just 2 files need/should/support ecryptfs, e.g., 




       /etc/pam.d/common-auth:
    
              auth    required        pam_ecryptfs.so unwrap
    
   /etc/pam.d/common-session:
    
              session optional        pam_ecryptfs.so unwrap



    So, I commented out the other 2 instances, rebooted, and it all worked, auto-mounts at login and auto-unmounts on logout for both graphical and console logins. (I used alternate tty's to verify from root account)



    This is on 18.04 Lubuntu on laptop, desktop and virtualbox guest (windows host).



    I am interested in others experience.



    edit_1: improved wording. edit_2: added desktop and VB test results.






    share|improve this answer















    I have been researching this issue for quite some time, i.e., unecrypted file system remains mounted after user logout.



    I used "ecryptfs-migrate-home -u user" to create mount. followed directions and all works except no auto-unmount at logout.



    I compared the config files in /etc/pam.d/ to pam_ecryptfs documentation and found the some differences. ecryptfs was in 4 of the pam.d config files whereas the pam_ecryptfs docs indicate just 2 files need/should/support ecryptfs, e.g., 




       /etc/pam.d/common-auth:
    
              auth    required        pam_ecryptfs.so unwrap
    
   /etc/pam.d/common-session:
    
              session optional        pam_ecryptfs.so unwrap



    So, I commented out the other 2 instances, rebooted, and it all worked, auto-mounts at login and auto-unmounts on logout for both graphical and console logins. (I used alternate tty's to verify from root account)



    This is on 18.04 Lubuntu on laptop, desktop and virtualbox guest (windows host).



    I am interested in others experience.



    edit_1: improved wording. edit_2: added desktop and VB test results.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Jul 9 '18 at 5:46

























    answered Jul 7 '18 at 4:46









    redrockredrock

    112




    112













    • Did disabling / commenting out any of those lines cause any problems? Does changing your password still re-wrap the eCryptfs keyfile?

      – Xen2050
      Oct 2 '18 at 7:13











    • This worked for me on Linux Mint 19. To add some more detail for others: the four config files in /etc/pam.d that refer to ecryptfs are: common-auth, common-password, common-session, common-session-noninteractive. Commenting out the lines in common-password and common-session-noninteractive led to the desired behavior of unmounting on log out. Also, the entry in common-auth was set to "optional" instead of "required" as it is supposed to be according to the documentation. However, I left this as is.

      – evencoil
      Oct 14 '18 at 19:45











    • @Xen2050, sorry for late response. I did not detect any problems after changes commenting out lines and I have not tried changing password as yet.

      – redrock
      Jan 3 at 21:47











    • The changing password might be important to test, it should re-wrap the encryption key with your new password automatically, so logging in the next time works. If it doesn't work, then just changing the password back to the previous one should work... [it's always good to have a backup though]

      – Xen2050
      Jan 4 at 4:00






    • 1





      @Xen2050, I did the test of changing password. it worked.

      – redrock
      Jan 4 at 8:16



















    • Did disabling / commenting out any of those lines cause any problems? Does changing your password still re-wrap the eCryptfs keyfile?

      – Xen2050
      Oct 2 '18 at 7:13











    • This worked for me on Linux Mint 19. To add some more detail for others: the four config files in /etc/pam.d that refer to ecryptfs are: common-auth, common-password, common-session, common-session-noninteractive. Commenting out the lines in common-password and common-session-noninteractive led to the desired behavior of unmounting on log out. Also, the entry in common-auth was set to "optional" instead of "required" as it is supposed to be according to the documentation. However, I left this as is.

      – evencoil
      Oct 14 '18 at 19:45











    • @Xen2050, sorry for late response. I did not detect any problems after changes commenting out lines and I have not tried changing password as yet.

      – redrock
      Jan 3 at 21:47











    • The changing password might be important to test, it should re-wrap the encryption key with your new password automatically, so logging in the next time works. If it doesn't work, then just changing the password back to the previous one should work... [it's always good to have a backup though]

      – Xen2050
      Jan 4 at 4:00






    • 1





      @Xen2050, I did the test of changing password. it worked.

      – redrock
      Jan 4 at 8:16

















    Did disabling / commenting out any of those lines cause any problems? Does changing your password still re-wrap the eCryptfs keyfile?

    – Xen2050
    Oct 2 '18 at 7:13





    Did disabling / commenting out any of those lines cause any problems? Does changing your password still re-wrap the eCryptfs keyfile?

    – Xen2050
    Oct 2 '18 at 7:13













    This worked for me on Linux Mint 19. To add some more detail for others: the four config files in /etc/pam.d that refer to ecryptfs are: common-auth, common-password, common-session, common-session-noninteractive. Commenting out the lines in common-password and common-session-noninteractive led to the desired behavior of unmounting on log out. Also, the entry in common-auth was set to "optional" instead of "required" as it is supposed to be according to the documentation. However, I left this as is.

    – evencoil
    Oct 14 '18 at 19:45





    This worked for me on Linux Mint 19. To add some more detail for others: the four config files in /etc/pam.d that refer to ecryptfs are: common-auth, common-password, common-session, common-session-noninteractive. Commenting out the lines in common-password and common-session-noninteractive led to the desired behavior of unmounting on log out. Also, the entry in common-auth was set to "optional" instead of "required" as it is supposed to be according to the documentation. However, I left this as is.

    – evencoil
    Oct 14 '18 at 19:45













    @Xen2050, sorry for late response. I did not detect any problems after changes commenting out lines and I have not tried changing password as yet.

    – redrock
    Jan 3 at 21:47





    @Xen2050, sorry for late response. I did not detect any problems after changes commenting out lines and I have not tried changing password as yet.

    – redrock
    Jan 3 at 21:47













    The changing password might be important to test, it should re-wrap the encryption key with your new password automatically, so logging in the next time works. If it doesn't work, then just changing the password back to the previous one should work... [it's always good to have a backup though]

    – Xen2050
    Jan 4 at 4:00





    The changing password might be important to test, it should re-wrap the encryption key with your new password automatically, so logging in the next time works. If it doesn't work, then just changing the password back to the previous one should work... [it's always good to have a backup though]

    – Xen2050
    Jan 4 at 4:00




    1




    1





    @Xen2050, I did the test of changing password. it worked.

    – redrock
    Jan 4 at 8:16





    @Xen2050, I did the test of changing password. it worked.

    – redrock
    Jan 4 at 8:16











    1














    I do it with a script in rclocal



    #!/bin/sh
    
#
    

    
while true; do
    
    if [ ! -d /run/user/1000 ]; then
    
        if [ -f /home/momo/.mounted ]; then
    
            umount /home/harry
    
        fi      
    
    fi
    

    
    if [ ! -d /run/user/1001 ]; then
    
        if [ -f /home/vm/.mounted ]; then
    
            umount /home/maud
    
        fi
    
    fi
    

    
    sleep 10
    
done
    
exit 0





    share|improve this answer






























      1














      I do it with a script in rclocal



      #!/bin/sh
      
#
      

      
while true; do
      
    if [ ! -d /run/user/1000 ]; then
      
        if [ -f /home/momo/.mounted ]; then
      
            umount /home/harry
      
        fi      
      
    fi
      

      
    if [ ! -d /run/user/1001 ]; then
      
        if [ -f /home/vm/.mounted ]; then
      
            umount /home/maud
      
        fi
      
    fi
      

      
    sleep 10
      
done
      
exit 0





      share|improve this answer




























        1












        1








        1







        I do it with a script in rclocal



        #!/bin/sh
        
#
        

        
while true; do
        
    if [ ! -d /run/user/1000 ]; then
        
        if [ -f /home/momo/.mounted ]; then
        
            umount /home/harry
        
        fi      
        
    fi
        

        
    if [ ! -d /run/user/1001 ]; then
        
        if [ -f /home/vm/.mounted ]; then
        
            umount /home/maud
        
        fi
        
    fi
        

        
    sleep 10
        
done
        
exit 0





        share|improve this answer















        I do it with a script in rclocal



        #!/bin/sh
        
#
        

        
while true; do
        
    if [ ! -d /run/user/1000 ]; then
        
        if [ -f /home/momo/.mounted ]; then
        
            umount /home/harry
        
        fi      
        
    fi
        

        
    if [ ! -d /run/user/1001 ]; then
        
        if [ -f /home/vm/.mounted ]; then
        
            umount /home/maud
        
        fi
        
    fi
        

        
    sleep 10
        
done
        
exit 0






        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Jan 3 at 10:26









        PerlDuck

        5,63911332




        5,63911332










        answered Jan 3 at 10:18









        walter wunschwalter wunsch

        111




        111






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Ask Ubuntu!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f910484%2fencrypted-home-folder-still-accessible-after-logout%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Human spaceflight

            Image
            Human spaceflight From Wikipedia, the free encyclopedia Jump to navigation Jump to search "Space traveler" redirects here. For other uses, see Space traveler (disambiguation). @media all and (max-width:720px){.mw-parser-output .tmulti>.thumbinner{width:100%!important;max-width:none!important}.mw-parser-output .tmulti .tsingle{float:none!important;max-width:none!important;width:100%!important;text-align:center}} Apollo 11 crewmember Buzz Aldrin on the Moon, 1969 International Space Station crewmember Tracy Caldwell Dyson views the Earth, 2010 Space Shuttle Discovery heads into space with a crew aboard, STS-121 in 2006 Inside a space suit on the Canadarm, 1993 Human spaceflight (also referred to as crewed spaceflight or manned spaceflight ) is space travel with a crew or passengers aboard the spacecraft. Spacecraft carrying people may be operated directly, by human crew, or it may be e
            Read more

            Can not write log (Is /dev/pts mounted?) - openpty in Ubuntu-on-Windows?

            Image
            0 1 What exactly does the error message beginning with E: mean? I assume it has to do with the file structure on Ubuntu-on-Windows, but what exactly? The following package was automatically installed and is no longer required: os-prober Use 'apt-get autoremove' to remove it. The following extra packages will be installed: libxslt1.1 The following NEW packages will be installed: libxslt1.1 xmlstarlet 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 435 kB of archives. After this operation, 1023 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ trusty/main libxslt1.1 amd64 1.1.28-2build1 [145 kB] Get:2 http://archive.ubuntu.com/ubuntu/ trusty/universe xmlstarlet amd64 1.5.0-1 [290 kB]
            Read more

            File:DeusFollowingSea.jpg

            Image
            File:DeusFollowingSea.jpg From Wikipedia, the free encyclopedia Jump to navigation Jump to search File File history File usage No higher resolution available. DeusFollowingSea.jpg ‎ (238 × 211 pixels, file size: 12 KB, MIME type: image/jpeg ) Summary [ edit ] Media data and Non-free use rationale Description Cover art of the Deus CD Following Sea Author or copyright owner Deus Source (WP:NFCC#4) rocksucker.co.uk Date of publication 2012 Use in article (WP:NFCC#7) Following Sea Purpose of use in article (WP:NFCC#8) to serve as the primary means of visual identification at the top of the article dedicated to the work in question. Not replaceable with free media because (WP:NFCC#1) n.a. Minimal use (WP:NFCC#3) Low res image used in infobox of the article on the album Respect for commercial opportunities (WP:NFCC#2) n.a. Fair use Fair use of co
            Read more