There is an interesting it-makes-sense-when-you-think-about-it issue with Encrypted Home directories and SSH key authentication I’ve recently discovered in Ubuntu (it will affect any distro though). Since Encrypted home directories aren’t decrypted until the login is successful, and your SSH keys are stored in your home directory, the first SSH connection you make will require a password. If you have password authentication turned off, you’ll have big issues.
I found a question on Super User which explains solutions to this issue. My solution follows closely on this answer, although I have added in a symbolic link to make it easier to manage.
1. Create .ssh folder in /home for the keys to be stored
sudo mkdir /home/.ssh
2. Move existing authorized_keys file into .ssh dir as username
sudo mv ~/.ssh/authorized_keys /home/.ssh/username
3. Create symbolic link to authorized_keys file in user .ssh dir
ln -s /home/.ssh/username ~/.ssh/authorized_keys
4. Update sshd config file to set the new path for the authorized_keys file
sudo vim /etc/ssh/sshd_config
Change the AuthorizedKeysFile line to:
5. Reboot the computer
sudo shutdown -r now
6. Login to your server and you shoud be presented with a minimal un-decrypted home directory… You will need to create and edit a .profile file in there to get ecryptfs to mount your home directory.
sudo vim ~/.profile
Add these lines:
7. Log out/Restart, and go back in again. You should be promoted for your password after SSH key auth, and then be presented with your decrypted home directory.
You should now be able to login using SSH keys every time, no matter if your home dir is decrypted or not 🙂
3 replies on “Encrypted Home directories + SSH Key Authentication”
how can this possibly work? sshd will not allow the /home/.ssh directory to operate because it objects to the permissons of /
@jp (or whomever will come across this).
You can set StrictModes no.
Instead of /home/.ssh/%u, use /home/.ssh/%u/authorized_keys and:
chmod 700 /home/.ssh/%u
chmod 600 /home/.ssh/%u/authorized_keys
there is an error, “ecryptfs-mount-private” should not end with “cd” just