ecryptfs doesn´t like noauto and noatime

ecryptfs doesn´t like noauto and noatime

[Martin Steigerwald]

Hi!

I have

merkaba:~> grep ecrypt /etc/fstab
/home/.ms               /home/ms                ecryptfs        
noatime,noauto  0       0

And get:

merkaba:~> mount /home/ms
Passphrase: 
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=0408d19ec184c207
  ecryptfs_key_bytes=32
  ecryptfs_cipher=aes
  ecryptfs_sig=0408d19ec184c207
Error mounting eCryptfs: [-5] Input/output error
Check your system logs; visit <http://launchpad.net/ecryptfs>


Still it works.


In dmesg I see:

[ 2657.888355] ecryptfs_parse_options: eCryptfs: unrecognized option 
[noauto]
[ 2657.888359] ecryptfs_parse_options: eCryptfs: unrecognized option 
[noatime]
[ 2657.913215] alg: No test for __gcm-aes-aesni (__driver-gcm-aes-aesni)


Thus I removed at least noatime, but then I still see:

[ 2839.460200] ecryptfs_parse_options: eCryptfs: unrecognized option 
[noauto]


On could argue about noatime when ecryptfs doesn´t override the setting of 
the underlying filesystem - i.e. doesn´t write the atime itself. But I 
think noauto should be silently ignored.

Without noatime it would ask me the passwort upon boot, but I do not like 
that since I do not use that user everytime.

I could use mounting via pam, but I like to have a different password for 
the user stored in /etc/shadow than the password from the filesystem 
itself.


Thanks,
-- 
Martin 'Helios' Steigerwald - http://www.Lichtvoll.de
GPG: 03B0 0D6C 0040 0710 4AFA  B82F 991B EAAC A599 84C7

Re: ecryptfs doesn´t like noauto and noatime

[Jakob Unterwurzacher]

On 16.01.2012 10:44, Martin Steigerwald wrote:
> Hi!
> 
> I have
> 
> merkaba:~> grep ecrypt /etc/fstab
> /home/.ms               /home/ms                ecryptfs        
> noatime,noauto  0       0
> 
> And get:
> 
> merkaba:~> mount /home/ms
> Passphrase: 
> Attempting to mount with the following options:
>   ecryptfs_unlink_sigs
>   ecryptfs_fnek_sig=0408d19ec184c207
>   ecryptfs_key_bytes=32
>   ecryptfs_cipher=aes
>   ecryptfs_sig=0408d19ec184c207
> Error mounting eCryptfs: [-5] Input/output error
> Check your system logs; visit <http://launchpad.net/ecryptfs>
> 
> 
> Still it works.
> 
> 
> In dmesg I see:
> 
> [ 2657.888355] ecryptfs_parse_options: eCryptfs: unrecognized option 
> [noauto]
> [ 2657.888359] ecryptfs_parse_options: eCryptfs: unrecognized option 
> [noatime]
> [ 2657.913215] alg: No test for __gcm-aes-aesni (__driver-gcm-aes-aesni)
> 
> 
> Thus I removed at least noatime, but then I still see:
> 
> [ 2839.460200] ecryptfs_parse_options: eCryptfs: unrecognized option 
> [noauto]
> 
> 
> On could argue about noatime when ecryptfs doesn´t override the setting of 
> the underlying filesystem - i.e. doesn´t write the atime itself. But I 
> think noauto should be silently ignored.
> 
> Without noatime it would ask me the passwort upon boot, but I do not like 
> that since I do not use that user everytime.
> 
> I could use mounting via pam, but I like to have a different password for 
> the user stored in /etc/shadow than the password from the filesystem 
> itself.

Note that this should work by creating ~/.ecryptfs/wrapping-independent
. Pam will ask for the ecryptfs password explicetely then.

Jakob

Re: ecryptfs doesn´t like noauto and noatime

[Tyler Hicks]

[-- Attachment #1: Type: text/plain, Size: 2603 bytes --]

On 2012-01-16 10:44:21, Martin Steigerwald wrote:
> Hi!
> 
> I have
> 
> merkaba:~> grep ecrypt /etc/fstab
> /home/.ms               /home/ms                ecryptfs        
> noatime,noauto  0       0
> 
> And get:
> 
> merkaba:~> mount /home/ms

Is this the *exact* mount command that you're running? You're not
invoking /sbin/mount.ecryptfs directly, using mount -t ecryptfs, or
anything else?

> Passphrase: 
> Attempting to mount with the following options:
>   ecryptfs_unlink_sigs
>   ecryptfs_fnek_sig=0408d19ec184c207
>   ecryptfs_key_bytes=32
>   ecryptfs_cipher=aes
>   ecryptfs_sig=0408d19ec184c207
> Error mounting eCryptfs: [-5] Input/output error
> Check your system logs; visit <http://launchpad.net/ecryptfs>
> 
> 
> Still it works.
> 
> 
> In dmesg I see:
> 
> [ 2657.888355] ecryptfs_parse_options: eCryptfs: unrecognized option 
> [noauto]
> [ 2657.888359] ecryptfs_parse_options: eCryptfs: unrecognized option 
> [noatime]

Neither of these options should be making their way to the kernel in the
string form. noauto is consumed by the mount utility and should be
stripped out entirely before constructing the final mount options string
for the kernel. noatime should be stripped out and converted into a
mountflags bit (see man 2 mount).

It looks like ecryptfs_generate_mount_flags() is incomplete since it
forgets to handle some options (at least noatime and noauto). I created
bug #917509 to track this:

https://launchpad.net/bugs/917509

Tyler

> [ 2657.913215] alg: No test for __gcm-aes-aesni (__driver-gcm-aes-aesni)
> 
> 
> Thus I removed at least noatime, but then I still see:
> 
> [ 2839.460200] ecryptfs_parse_options: eCryptfs: unrecognized option 
> [noauto]
> 
> 
> On could argue about noatime when ecryptfs doesn´t override the setting of 
> the underlying filesystem - i.e. doesn´t write the atime itself. But I 
> think noauto should be silently ignored.
> 
> Without noatime it would ask me the passwort upon boot, but I do not like 
> that since I do not use that user everytime.
> 
> I could use mounting via pam, but I like to have a different password for 
> the user stored in /etc/shadow than the password from the filesystem 
> itself.
> 
> 
> Thanks,
> -- 
> Martin 'Helios' Steigerwald - http://www.Lichtvoll.de
> GPG: 03B0 0D6C 0040 0710 4AFA  B82F 991B EAAC A599 84C7
> --
> To unsubscribe from this list: send the line "unsubscribe ecryptfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: ecryptfs doesn´t like noauto and noatime

[Martin Steigerwald]

Am Dienstag, 17. Januar 2012 schrieb Tyler Hicks:
> On 2012-01-16 10:44:21, Martin Steigerwald wrote:
> > Hi!
> > 
> > I have
> > 
> > merkaba:~> grep ecrypt /etc/fstab
> > /home/.ms               /home/ms                ecryptfs
> > noatime,noauto  0       0
> > 
> > And get:
> > 
> > merkaba:~> mount /home/ms
> 
> Is this the *exact* mount command that you're running? You're not
> invoking /sbin/mount.ecryptfs directly, using mount -t ecryptfs, or
> anything else?

Yes, this is copied-and-pasted.

> > Passphrase:
> > 
> > Attempting to mount with the following options:
> >   ecryptfs_unlink_sigs
> >   ecryptfs_fnek_sig=0408d19ec184c207
> >   ecryptfs_key_bytes=32
> >   ecryptfs_cipher=aes
> >   ecryptfs_sig=0408d19ec184c207
> > 
> > Error mounting eCryptfs: [-5] Input/output error
> > Check your system logs; visit <http://launchpad.net/ecryptfs>
> > 
> > 
> > Still it works.
> > 
> > 
> > In dmesg I see:
> > 
> > [ 2657.888355] ecryptfs_parse_options: eCryptfs: unrecognized option
> > [noauto]
> > [ 2657.888359] ecryptfs_parse_options: eCryptfs: unrecognized option
> > [noatime]
> 
> Neither of these options should be making their way to the kernel in
> the string form. noauto is consumed by the mount utility and should be
> stripped out entirely before constructing the final mount options
> string for the kernel. noatime should be stripped out and converted
> into a mountflags bit (see man 2 mount).
> 
> It looks like ecryptfs_generate_mount_flags() is incomplete since it
> forgets to handle some options (at least noatime and noauto). I created
> bug #917509 to track this:
> 
> https://launchpad.net/bugs/917509

Thanks.

Ciao,
-- 
Martin 'Helios' Steigerwald - http://www.Lichtvoll.de
GPG: 03B0 0D6C 0040 0710 4AFA  B82F 991B EAAC A599 84C7

Re: ecryptfs doesn´t like noauto and noatime

[Martin Steigerwald]

Am Dienstag, 17. Januar 2012 schrieb Jakob Unterwurzacher:
> On 16.01.2012 10:44, Martin Steigerwald wrote:
> > Hi!
> > 
> > I have
> > 
> > merkaba:~> grep ecrypt /etc/fstab
> > /home/.ms               /home/ms                ecryptfs
> > noatime,noauto  0       0
> > 
> > And get:
> > 
> > merkaba:~> mount /home/ms
> > Passphrase:
[…]
> > Error mounting eCryptfs: [-5] Input/output error
[…]
> > Still it works.
> > 
> > 
> > In dmesg I see:
> > 
> > [ 2657.888355] ecryptfs_parse_options: eCryptfs: unrecognized option
> > [noauto]
> > [ 2657.888359] ecryptfs_parse_options: eCryptfs: unrecognized option
> > [noatime]
> > [ 2657.913215] alg: No test for __gcm-aes-aesni
> > (__driver-gcm-aes-aesni)
> > 
> > 
> > Thus I removed at least noatime, but then I still see:
> > 
> > [ 2839.460200] ecryptfs_parse_options: eCryptfs: unrecognized option
> > [noauto]
[…]
> > Without noatime it would ask me the passwort upon boot, but I do not
> > like that since I do not use that user everytime.

noauto that is.

> > I could use mounting via pam, but I like to have a different password
> > for the user stored in /etc/shadow than the password from the
> > filesystem itself.
> 
> Note that this should work by creating ~/.ecryptfs/wrapping-independent
> . Pam will ask for the ecryptfs password explicetely then.

Thanks.

Would that also work within a display manager like kdm?

Ciao,
-- 
Martin 'Helios' Steigerwald - http://www.Lichtvoll.de
GPG: 03B0 0D6C 0040 0710 4AFA  B82F 991B EAAC A599 84C7

Re: ecryptfs doesn´t like noauto and noatime

[Jakob Unterwurzacher]

On 17.01.2012 09:37, Martin Steigerwald wrote:
> Am Dienstag, 17. Januar 2012 schrieb Jakob Unterwurzacher:
>> On 16.01.2012 10:44, Martin Steigerwald wrote:
>>> Hi!
>>>
>>> I have
>>>
>>> merkaba:~> grep ecrypt /etc/fstab
>>> /home/.ms               /home/ms                ecryptfs
>>> noatime,noauto  0       0
>>>
>>> And get:
>>>
>>> merkaba:~> mount /home/ms
>>> Passphrase:
> […]
>>> Error mounting eCryptfs: [-5] Input/output error
> […]
>>> Still it works.
>>>
>>>
>>> In dmesg I see:
>>>
>>> [ 2657.888355] ecryptfs_parse_options: eCryptfs: unrecognized option
>>> [noauto]
>>> [ 2657.888359] ecryptfs_parse_options: eCryptfs: unrecognized option
>>> [noatime]
>>> [ 2657.913215] alg: No test for __gcm-aes-aesni
>>> (__driver-gcm-aes-aesni)
>>>
>>>
>>> Thus I removed at least noatime, but then I still see:
>>>
>>> [ 2839.460200] ecryptfs_parse_options: eCryptfs: unrecognized option
>>> [noauto]
> […]
>>> Without noatime it would ask me the passwort upon boot, but I do not
>>> like that since I do not use that user everytime.
> 
> noauto that is.
> 
>>> I could use mounting via pam, but I like to have a different password
>>> for the user stored in /etc/shadow than the password from the
>>> filesystem itself.
>>
>> Note that this should work by creating ~/.ecryptfs/wrapping-independent
>> . Pam will ask for the ecryptfs password explicitely then.
> 
> Thanks.
> 
> Would that also work within a display manager like kdm?
> 
> Ciao,

Yes! It will ask for two passwords on login.
Jakob

Re: ecryptfs doesn´t like noauto and noatime

[Martin Steigerwald]

Hi Jakob,

Am Dienstag, 17. Januar 2012 schrieb Jakob Unterwurzacher:
> On 17.01.2012 09:37, Martin Steigerwald wrote:
> > Am Dienstag, 17. Januar 2012 schrieb Jakob Unterwurzacher:
> >> On 16.01.2012 10:44, Martin Steigerwald wrote:
> >>> Hi!
> >>> 
> >>> I have
> >>> 
> >>> merkaba:~> grep ecrypt /etc/fstab
> >>> /home/.ms               /home/ms                ecryptfs
> >>> noatime,noauto  0       0
> >>> 
> >>> And get:
> >>> 
> >>> merkaba:~> mount /home/ms
> > 
> >>> Passphrase:
> > […]
> > 
> >>> Error mounting eCryptfs: [-5] Input/output error
> > 
> > […]
> > 
> >>> Still it works.
> >>> 
> >>> 
> >>> In dmesg I see:
> >>> 
> >>> [ 2657.888355] ecryptfs_parse_options: eCryptfs: unrecognized option
> >>> [noauto]
> >>> [ 2657.888359] ecryptfs_parse_options: eCryptfs: unrecognized option
> >>> [noatime]
> >>> [ 2657.913215] alg: No test for __gcm-aes-aesni
> >>> (__driver-gcm-aes-aesni)
> >>> 
> >>> 
> >>> Thus I removed at least noatime, but then I still see:
> >>> 
> >>> [ 2839.460200] ecryptfs_parse_options: eCryptfs: unrecognized option
> >>> [noauto]
> > 
> > […]
> > 
> >>> Without noatime it would ask me the passwort upon boot, but I do not
> >>> like that since I do not use that user everytime.
> > 
> > noauto that is.
> > 
> >>> I could use mounting via pam, but I like to have a different password
> >>> for the user stored in /etc/shadow than the password from the
> >>> filesystem itself.
> >> 
> >> Note that this should work by creating ~/.ecryptfs/wrapping-independent
> >> . Pam will ask for the ecryptfs password explicitely then.
> > 
> > Thanks.
> > 
> > Would that also work within a display manager like kdm?
> > 
> > Ciao,
> 
> Yes! It will ask for two passwords on login.

Hmmm, I think this won't work for me.

This is used by ecryptfs-mount-private it seems, but I am not only encrypting 
/home/$USER/Private, but /home/$USER itself. Thus I'd like to mount ~ as is 
with a different passphrase than my PAM login password.

I tried putting an empty ~/.ecryptfs/wrapping-independent, which has the sig-
cache.txt for the /home/ms mount but this doesn't do the trick, I am not asked 
for a password and home directory remains empty. I could put 

Is it true that PAM ecryptfs stuff is only for a ~/Private directory?

Then that would be a reason for me to make a feature request ;).

Thanks,
-- 
Martin Steigerwald - teamix GmbH - http://www.teamix.de
gpg: 19E3 8D42 896F D004 08AC A0CA 1E10 C593 0399 AE90

Re: ecryptfs doesn´t like noauto and noatime

[Dustin Kirkland]

On Mon, Jan 30, 2012 at 4:58 AM, Martin Steigerwald <ms@teamix.de> wrote:
>
> Hi Jakob,
>
> Am Dienstag, 17. Januar 2012 schrieb Jakob Unterwurzacher:
> > On 17.01.2012 09:37, Martin Steigerwald wrote:
> > > Am Dienstag, 17. Januar 2012 schrieb Jakob Unterwurzacher:
> > >> On 16.01.2012 10:44, Martin Steigerwald wrote:
> > >>> Hi!
> > >>>
> > >>> I have
> > >>>
> > >>> merkaba:~> grep ecrypt /etc/fstab
> > >>> /home/.ms               /home/ms                ecryptfs
> > >>> noatime,noauto  0       0
> > >>>
> > >>> And get:
> > >>>
> > >>> merkaba:~> mount /home/ms
> > >
> > >>> Passphrase:
> > > […]
> > >
> > >>> Error mounting eCryptfs: [-5] Input/output error
> > >
> > > […]
> > >
> > >>> Still it works.
> > >>>
> > >>>
> > >>> In dmesg I see:
> > >>>
> > >>> [ 2657.888355] ecryptfs_parse_options: eCryptfs: unrecognized option
> > >>> [noauto]
> > >>> [ 2657.888359] ecryptfs_parse_options: eCryptfs: unrecognized option
> > >>> [noatime]
> > >>> [ 2657.913215] alg: No test for __gcm-aes-aesni
> > >>> (__driver-gcm-aes-aesni)
> > >>>
> > >>>
> > >>> Thus I removed at least noatime, but then I still see:
> > >>>
> > >>> [ 2839.460200] ecryptfs_parse_options: eCryptfs: unrecognized option
> > >>> [noauto]
> > >
> > > […]
> > >
> > >>> Without noatime it would ask me the passwort upon boot, but I do not
> > >>> like that since I do not use that user everytime.
> > >
> > > noauto that is.
> > >
> > >>> I could use mounting via pam, but I like to have a different password
> > >>> for the user stored in /etc/shadow than the password from the
> > >>> filesystem itself.
> > >>
> > >> Note that this should work by creating ~/.ecryptfs/wrapping-independent
> > >> . Pam will ask for the ecryptfs password explicitely then.
> > >
> > > Thanks.
> > >
> > > Would that also work within a display manager like kdm?
> > >
> > > Ciao,
> >
> > Yes! It will ask for two passwords on login.
>
> Hmmm, I think this won't work for me.
>
> This is used by ecryptfs-mount-private it seems, but I am not only encrypting
> /home/$USER/Private, but /home/$USER itself. Thus I'd like to mount ~ as is
> with a different passphrase than my PAM login password.
>
> I tried putting an empty ~/.ecryptfs/wrapping-independent, which has the sig-
> cache.txt for the /home/ms mount but this doesn't do the trick, I am not asked
> for a password and home directory remains empty. I could put
>
> Is it true that PAM ecryptfs stuff is only for a ~/Private directory?

Definitely not.  pam_ecryptfs.so is the method by which keys are
loaded into your keyring at login time, by unwrapping
~/.ecryptfs/wrapped-passphrase using your login passphrase.

It should work with either a randomly generated one, or one of your
choosing.  It doesn't really care what's inside of
~/.ecryptfs/wrapped-passphrase -- just that your login passphrase can
symmetrically decrypt it.

Now, getting a passphrase of your choosing into that file requires
running ecryptfs-setup-private by hand, rather than using wrappers,
like the Ubuntu installer or the adduser utility.

> Then that would be a reason for me to make a feature request ;).

-- 
:-Dustin

Dustin Kirkland
Chief Architect
Gazzang, Inc.
www.gazzang.com