GliderJan Varho

Using ssh with an Encrypted Home in Ubuntu

  • ssh
  • Ubuntu
  • encryption
  • encrypted home
  • filesystem

The encrypted home directory feature of Ubuntu is especially useful with laptops, where if it is lost one probably doesn't want others to have access to data. Unfortunately it messes up ssh access with public keys.

Key authentication is a very useful feature of ssh that I use all the time. It lets me avoid constantly typing in passwords and is more secure than password authentication. It works by storing authorized public keys (by default) in ~/.ssh/authorized_keys which of course gets encrypted with the rest. Therefore one can only log in using ssh if a local session already exists and has mounted the encrypted directory.

The easiest way to avoid this is to set up ssh access as usual, with the keyfile inside the encrypted home, then copy the file over to the unencrypted directory. Thereafter ssh logins are possible with or without other open sessions. (Just remember to update both files if they need changes.)

To copy the file one needs to log out of any graphical sessions and have an open command line either though ssh or a local prompt (e.g. using Ctrl+Alt+F1). The keyfile can then be copied outside the home:

cp ~/.ssh/authorized_keys /tmp/

The encrypted home can be unmounted (but there should be no programs running that need it):

umount.ecryptfs_private && cd

The latter command moves to the mostly empty directory that holds the encrypted filesystem. The directory was write protected on my system, so writes need to be enabled next:

chmod +w ~

With that out of the way, the .ssh subdirectory can be created and the keyfile can be copied over:

mkdir .ssh chmod 700 .ssh mv /tmp/authorized_keys .ssh/

Now the encrypted filesystem can be remounted - though a log out + log in would also do the trick:

mount.ecryptfs_private && cd