How do I get Xwindows to work when I am using an encrypted Drive?

My friend Mike Jansen pinged me this afternoon with an interesting problem.  

Here is the background:

He has setup a Linux VM and needs to get to it remotely from his PC running Windows.  He has xming(A great free XWindows server for Windows) and connects to the machine over SSH.  He decided he would take security to the next level and encrypted his personal directory.  Interesting fact is that when you do this on Ubuntu your home directory isn't decrypted or mounted until you actually login.  Why is that a problem?  Well as part of the login process SSH puts the magic-coookie XWindows needs to start into your /home/<UserID>/.Xauthority file.  The next thing that happens is that your encrypted directory is decrypted and mounted to /home/<UserID>/ which then hides /home/<UserID>/.Xauthority under the mount.  At that point it breaks X and stops you from running the XWindows Programs.  Unless you do something like what Mike pieced together.  What Mike has below should work system wide for all users.  You should as with all scripts test this out on a non-production system first.

Here is what he gave back to be to post to for everyone:

So I got my issue with encrypted home and ssh/xauth figured out. The solution is actually simple once it's figured out :)

The basic idea for xauth transfer was from


The idea for this came from the man page for SSH. 

I got rid of ~/.ssh/rc and put this in /etc/ssh/sshrc:

if read proto cookie && [ -n "$DISPLAY" ]; then
if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
# X11UseLocalhost=yes
echo add unix:`echo $DISPLAY | cut -c11-` $proto $cookie
# X11UseLocalhost=no
echo add $DISPLAY $proto $cookie
fi | xauth -q -
MYXAUTH=/home/.ecryptfs/`id -un`/.xauth
xauth list > $MYXAUTH
chmod go-r $MYXAUTH

Mount encrypted home

The idea's behind this section came from this page

In /etc/profile, I mount encrypted home (if it's not already mounted):

if test -e $HOME/.ecryptfs/auto-mount; then
mount | grep "$HOME type ecryptfs"
if test $? != 0; then


I got rid of ~/.bash_login and put this in /etc/bash.bashrc:

# Load xauth information from pre-encrypt mounting ssh initialiation
MYXAUTH=/home/.ecryptfs/`id -un`/.xauth
if [ -e "$MYXAUTH" ]; then
xauth add `cat $MYXAUTH`

Sample SSH LOGIN after Implementation

Here's what my ssh login looks like now (I have a bunch of outputs to understand the flow and make sure my real and effective uid's are what I expect):

Using username "mike-jansen".
Authenticating with public key "REALLY_COOL_DEV_SERVER" from agent
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-11-generic-pae i686)

* Documentation:

56 packages can be updated.
29 updates are security updates.

Last login: Thu Sep 22 15:48:24 2011 from
------ BEGIN /etc/ssh/sshrc Real [mike-jansen] Effective [mike-jansen]
------ END /etc/ssh/sshrc Real [mike-jansen] Effective [mike-jansen]
------ BEGIN /etc/profile Real [mike-jansen] Effective [mike-jansen]
Enter your login passphrase:
Inserted auth tok with sig [c46ead8832a353d7] into the user session keyring

INFO: Your private directory has been mounted.
INFO: To see this change in your current shell:
cd /home/mike-jansen

------ BEGIN /etc/bash.bashrc Real [mike-jansen] Effective [mike-jansen]
------ END /etc/bash.bashrc Real [mike-jansen] Effective [mike-jansen]
------ END /etc/profile Real [mike-jansen] Effective [mike-jansen]
------ BEGIN ~/.profile Real [mike-jansen] Effective [mike-jansen]
------ BEGIN ~/.bashrc Real [mike-jansen] Effective [mike-jansen]
------ END ~/.bashrc Real [mike-jansen] Effective [mike-jansen]
------ END ~/.profile Real [mike-jansen] Effective [mike-jansen]




*For those who don't know ~ is a shortcut to the current users home directory as recorded in the user repoistory for the system.







Brian Wagner

Brian started working with *nix in while a student at Kent State University in the early 90's. In 1995, as an E-Mail Administrator for Caliber Technology (now part of Fedex) he was tasked with administering Sendmail on both Slackware Linux and Solaris Systems. His first home install of Linux was MkLinux DR1 in 1996 on his 60 Mhz PowerMac. Since then Brian has been working and consulting on Linux and it's uses in the Enterprise to support everything from E-Mail, Firewalls, Web and File serving to custom cluster solutions and grid solutions. Brian has had the opportunity to work in both Fortune 500 companies and small 2 person organizations. This has given him the unique insight into the differences every size business faces.