How do I get Xwindows to work when I am using an encrypted Drive?

My friend Mike Jansen pinged me this afternoon with an interesting problem.  

Here is the background:

He has setup a Linux VM and needs to get to it remotely from his PC running Windows.  He has xming(A great free XWindows server for Windows) and connects to the machine over SSH.  He decided he would take security to the next level and encrypted his personal directory.  Interesting fact is that when you do this on Ubuntu your home directory isn’t decrypted or mounted until you actually login.  Why is that a problem?  Well as part of the login process SSH puts the magic-coookie XWindows needs to start into your /home/<UserID>/.Xauthority file.  The next thing that happens is that your encrypted directory is decrypted and mounted to /home/<UserID>/ which then hides /home/<UserID>/.Xauthority under the mount.  At that point it breaks X and stops you from running the XWindows Programs.  Unless you do something like what Mike pieced together.  What Mike has below should work system wide for all users.  You should as with all scripts test this out on a non-production system first.

Here is what he gave back to be to post to for everyone:

So I got my issue with encrypted home and ssh/xauth figured out. The solution is actually simple once it’s figured out 🙂

The basic idea for xauth transfer was from


The idea for this came from the man page for SSH. 

I got rid of ~/.ssh/rc and put this in /etc/ssh/sshrc:

if read proto cookie && [ -n "$DISPLAY" ]; then
if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
# X11UseLocalhost=yes
echo add unix:`echo $DISPLAY | cut -c11-` $proto $cookie
# X11UseLocalhost=no
echo add $DISPLAY $proto $cookie
fi | xauth -q -
MYXAUTH=/home/.ecryptfs/`id -un`/.xauth
xauth list > $MYXAUTH
chmod go-r $MYXAUTH

Mount encrypted home

The idea’s behind this section came from this page

In /etc/profile, I mount encrypted home (if it’s not already mounted):

if test -e $HOME/.ecryptfs/auto-mount; then
mount | grep "$HOME type ecryptfs"
if test $? != 0; then


I got rid of ~/.bash_login and put this in /etc/bash.bashrc:

# Load xauth information from pre-encrypt mounting ssh initialiation
MYXAUTH=/home/.ecryptfs/`id -un`/.xauth
if [ -e "$MYXAUTH" ]; then
xauth add `cat $MYXAUTH`

Sample SSH LOGIN after Implementation

Here’s what my ssh login looks like now (I have a bunch of outputs to understand the flow and make sure my real and effective uid’s are what I expect):

Using username "mike-jansen".
Authenticating with public key "REALLY_COOL_DEV_SERVER" from agent
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-11-generic-pae i686)

* Documentation:

56 packages can be updated.
29 updates are security updates.

Last login: Thu Sep 22 15:48:24 2011 from
------ BEGIN /etc/ssh/sshrc Real [mike-jansen] Effective [mike-jansen]
------ END /etc/ssh/sshrc Real [mike-jansen] Effective [mike-jansen]
------ BEGIN /etc/profile Real [mike-jansen] Effective [mike-jansen]
Enter your login passphrase:
Inserted auth tok with sig [c46ead8832a353d7] into the user session keyring

INFO: Your private directory has been mounted.
INFO: To see this change in your current shell:
cd /home/mike-jansen

------ BEGIN /etc/bash.bashrc Real [mike-jansen] Effective [mike-jansen]
------ END /etc/bash.bashrc Real [mike-jansen] Effective [mike-jansen]
------ END /etc/profile Real [mike-jansen] Effective [mike-jansen]
------ BEGIN ~/.profile Real [mike-jansen] Effective [mike-jansen]
------ BEGIN ~/.bashrc Real [mike-jansen] Effective [mike-jansen]
------ END ~/.bashrc Real [mike-jansen] Effective [mike-jansen]
------ END ~/.profile Real [mike-jansen] Effective [mike-jansen]




*For those who don't know ~ is a shortcut to the current users home directory as recorded in the user repoistory for the system.







Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.