Re: ecryptfs-mount-private fails the first time after boot

[Tyler Hicks <tyhicks@canonical.com>]

[-- Attachment #1: Type: text/plain, Size: 2947 bytes --]

On 2013-11-15 17:51:49, Benjamin Moody wrote:
> I'm using ecryptfs on Scientific Linux 6.4 (kernel
> 2.6.32-358.23.2.el6.x86_64, ecryptfs-utils 82-6.el6_1.3)

I don't have a system derived from RHEL 6 to test from. But I gave it a
shot with Ubuntu 10.04 (kernel 2.6.32-52.114-generic, ecryptfs-utils
83-0ubuntu3.2.10.04.3).

I wasn't able to reproduce the bug that you're seeing. I thought that
maybe the RHEL 6 derivatives don't enable the pam_ecryptfs module and
that it does something that ecryptfs-mount-private needs, so I commented
it out of my pam configs and tried again but still couldn't reproduce
it.

> When I run ecryptfs-mount-private for the first time, it shows the following:
> 
> $ ecryptfs-mount-private
> Enter your wrapping passphrase:
> Inserted auth tok with sig [...] into the user session keyring
> keyctl_search: Required key not available
> Perhaps try the interactive 'ecryptfs-mount-private'
> 
> At this point, the following messages appear in dmesg:
> 
> $ dmesg
> ...
> TECH PREVIEW: ecryptfs may not be fully supported.
> Please review provided documentation for limitations.
> SELinux: initialized (dev ecryptfs, type ecryptfs), uses genfs_contexts
> 
> And at this point, the filesystem is *mounted* but the files are not
> correctly decrypted (i.e. Private appears to be an exact mirror of
> .Private):
> 
> $ ls Private/
> ECRYPTFS_FNEK_ENCRYPTED.FWaO.4n6KQUoiUR2FAbPNmeUAR1Zw4f3.rLCHzv3PNoOtExPXP.Ei0KiAE--
> ECRYPTFS_FNEK_ENCRYPTED.FXaO.4n6KQUoiUR2FAbPNmeUAR1Zw4f3.rLC-NRvX4ESyXeGh90V8z6JRo2qp.xjwPLn8Fz1BXP8u22-
> ...

It would be nice to see the mount options, from /proc/mounts, at this
point.

I'm having to make some assumptions, but it looks like the mount happens
without the filename encryption key being loaded into the kernel
keyring.

Also, seeing how many user keys are loaded at this point would be
helpful:

$ keyctl show | grep user: | wc -l
2

> I then unmount and remount it:
> 
> $ ecryptfs-umount-private
> keyctl_search: Required key not available
> Perhaps try the interactive 'ecryptfs-mount-private'
> 
> $ ecryptfs-mount-private
> Enter your wrapping passphrase:
> Inserted auth tok with sig [...] into the user session keyring
> 
> at which point it works as expected.

At this point, the keyctl show command above should spit out the same
result as above. But, I think you'll see "1" printed when you run it
above, and "2" printed now.

> So, does anyone know why this might be happening?

No. I don't recall a fixed bug similar to this, but you should search
our bug tracker (https://bugs.launchpad.net/ecryptfs). Also, take a look
through the RHEL bug tracker.

Sorry I'm not more help at this point but I can't reproduce it at the
moment and don't recall us fixing anything like this. Dustin tends to
this portion of ecryptfs-utils, so maybe he'll remember something when
he sees your email.

Tyler

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]