Can’t ecryptfs-mount-private after ecryptfs-umount-private

Hmm, well, this obviously concerns me greatly.

However, I'm not able to reproduce this here.

Can you post a file listing of your ~/.ecryptfs?

ls -alF ~/.ecryptfs

THanks.

anders@fixed-disk:~$ ls -alF ~/.ecryptfs
total 48
drwx------ 2 anders anders 4096 2009-04-08 13:24 ./
drwx--x--x 275 anders anders 32768 2011-02-27 08:21 ../
-rw-r--r-- 1 anders anders 0 2008-10-15 21:36 auto-mount
-rw-r--r-- 1 anders anders 0 2008-10-15 21:36 auto-umount
-rw-r--r-- 1 anders anders 17 2008-10-15 21:36 Private.sig
-r-------- 1 anders anders 48 2008-10-15 21:36 wrapped-passphrase
-rw-r--r-- 1 anders anders 0 2009-04-08 13:24 .wrapped-passphrase.recorded

I get a similar error running ecryptfs-setup-private on a newly-created clean account.

newuser@fixed-disk:~$ ecryptfs-setup-private
Enter your login passphrase:
Enter your mount passphrase [leave blank to generate one]:

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************

Done configuring.

Testing mount/write/umount/read...
keyctl_search: Required key not available
Perhaps try the interactive 'ecryptfs-mount-private'
ERROR: Could not mount private ecryptfs directory (2)

After you run:
 $ ecryptfs-mount-private
...

What is the output of:
 $ keyctl list @u

anders@fixed-disk:~$ ecryptfs-mount-private
Enter your login passphrase:
Inserted auth tok with sig [c2e0b8f13ee13855] into the user session keyring
keyctl_search: Required key not available
Perhaps try the interactive 'ecryptfs-mount-private'
anders@fixed-disk:~$ keyctl list @u
1 key in keyring:
230093822: --alswrv 1000 1000 user: c2e0b8f13ee13855

I noticed that the hex value is different after a successful mount, and after that I have two keys in @u, one with each value. Then ecryptfs-umount-private deletes the “right” one but leaves the “wrong” one around:

anders@fixed-disk:~$ keyctl clear @u
anders@fixed-disk:~$ keyctl list @u
keyring is empty
anders@fixed-disk:~$ ecryptfs-mount-private
Enter your login passphrase:
Inserted auth tok with sig [6a0a0dc419b62549] into the user session keyring
anders@fixed-disk:~$ keyctl list @u
2 keys in keyring:
571793771: --alswrv 1000 1000 user: c2e0b8f13ee13855
704793275: --alswrv 1000 1000 user: 6a0a0dc419b62549
anders@fixed-disk:~$ ecryptfs-umount-private
anders@fixed-disk:~$ keyctl list @u
1 key in keyring:
571793771: --alswrv 1000 1000 user: c2e0b8f13ee13855
anders@fixed-disk:~$ ecryptfs-mount-private
Enter your login passphrase:
Inserted auth tok with sig [c2e0b8f13ee13855] into the user session keyring
keyctl_search: Required key not available
Perhaps try the interactive 'ecryptfs-mount-private'

This is, indeed, strange.

Which of these key sigs is your Private.sig?

ie, cat ~/.ecryptfs/Private.sig

anders@fixed-disk:~$ cat ~/.ecryptfs/Private.sig
6a0a0dc419b62549

Sorry to add a 'me to', but I am experiencing the same problem, with the same output in terminal as the bug reporter, when I run 'ecryptfs-setup-private'. I'm using 11.04 Alpha 3, 64-bit, fully updated.

Aha! Okay, I see the problem.

Committed revision 531.

This bug was fixed in the package ecryptfs-utils - 87-0ubuntu1

---------------
ecryptfs-utils (87-0ubuntu1) natty; urgency=low

  [ Paolo Bonzini <email address hidden> ]
  * src/utils/ecryptfs-setup-private: update the Private.* selinux
    contexts

  [ Dustin Kirkland ]
  * src/utils/ecryptfs-setup-private:
    - add -p to mkdir, address noise for a non-error
    - must insert keys during testing phase, since we remove keys on
      unmount now, LP: #725862
  * src/utils/ecryptfs_rewrap_passphrase.c: confirm passphrases in
    interactive mode, LP: #667331
 -- Dustin Kirkland <email address hidden> Wed, 09 Mar 2011 13:31:29 +0000

Any chance to see this in 10.04 (LTS)? I'm suffering from the very same problem there.

ProblemType: Bug
Architecture: i386
Date: Thu Mar 17 15:50:50 2011
Dependencies:
 base-files 5.0.0ubuntu20.10.04.3
 base-passwd 3.5.22
 coreutils 7.4-2ubuntu3
 debconf 1.5.28ubuntu4
 debconf-i18n 1.5.28ubuntu4
 dpkg 1.15.5.6ubuntu4.5
 findutils 4.4.2-1ubuntu1
 gcc-4.4-base 4.4.3-4ubuntu5
 gettext-base 0.17-8ubuntu3
 keyutils 1.2-12
 libacl1 2.2.49-2
 libattr1 1:2.4.44-1
 libc-bin 2.11.1-0ubuntu7.8
 libc6 2.11.1-0ubuntu7.8
 libdb4.8 4.8.24-1ubuntu1
 libecryptfs0 83-0ubuntu3.1
 libgcc1 1:4.4.3-4ubuntu5
 libkeyutils1 1.2-12
 liblocale-gettext-perl 1.05-6
 libnspr4-0d 4.8.6-0ubuntu0.10.04.2
 libnss3-1d 3.12.8-0ubuntu0.10.04.1
 libpam-modules 1.1.1-2ubuntu5
 libpam-runtime 1.1.1-2ubuntu5
 libpam0g 1.1.1-2ubuntu5
 libselinux1 2.0.89-4
 libsqlite3-0 3.6.22-1
 libstdc++6 4.4.3-4ubuntu5
 libtext-charwidth-perl 0.04-6
 libtext-iconv-perl 1.7-2
 libtext-wrapi18n-perl 0.06-7
 lzma 4.43-14ubuntu2
 perl-base 5.10.1-8ubuntu2
 tzdata 2011c-0ubuntu0.10.04
 zlib1g 1:1.2.3.3.dfsg-15ubuntu1
DistroRelease: Ubuntu 10.04
EcryptfsInUse: Yes
NonfreeKernelModules: nvidia
Package: ecryptfs-utils 83-0ubuntu3.1
PackageArchitecture: i386
ProcEnviron:
 LC_PAPER=pl_PL.UTF-8
 SHELL=/bin/bash
 PATH=(custom, user)
 LANG=en_US.UTF-8
 LANGUAGE=en_US:en
 LC_CTYPE=pl_PL.UTF-8
 LC_TIME=pl_PL.UTF-8
ProcVersionSignature: Ubuntu 2.6.32-30.59-generic-pae 2.6.32.29+drm33.13
SourcePackage: ecryptfs-utils
Tags: lucid
Uname: Linux 2.6.32-30-generic-pae i686

I think have the same problem on my Lucid installation as well. At least keyctl list @u shows two keys and I am experiencing mysteriously lost files/sessions when I log in on a tty while logged into X as well, and then log out on the tty.

I think that maybe because of those two active keys in my keyctl, ecryptfs umounts my home although I am still logged into X. Would that be possible?

I'm getting the same bug with the release version of Natty (11.04) so with ecryptfs-utils 87-0ubuntu0.

I got the problem originally by logging out and logging back in without rebooting (which is what I usually do since I very rarely reboot/shutdown my machine).

Here's a terminal listing with most of the answers what were asked of the original poster:

username1@mybox:~$ ls Private/
[some private files]
username1@mybox:~$ ls -alF .ecryptfs/
total 24
drwx------ 2 username1 username1 4096 2009-04-23 15:22 ./
drwxr-xr-x 137 username1 username1 12288 2011-04-29 11:49 ../
-rw-r--r-- 1 username1 username1 0 2009-03-23 16:35 auto-mount
-rw-r--r-- 1 username1 username1 0 2009-03-23 16:35 auto-umount
-rw-r--r-- 1 username1 username1 17 2009-03-23 16:35 Private.sig
-r-------- 1 username1 username1 48 2009-03-23 16:35 wrapped-passphrase
-rw-r--r-- 1 username1 username1 0 2009-04-23 15:22 .wrapped-passphrase.recorded
username1@mybox:~$ keyctl list @u
2 keys in keyring:
899674517: --alswrv 1000 0 user: 31bb03a50a74ed60
979231033: --alswrv 1000 0 user: a637b5831fc648bc
username1@mybox:~$ ecryptfs-umount-private
username1@mybox:~$ keyctl list @u
1 key in keyring:
899674517: --alswrv 1000 0 user: 31bb03a50a74ed60
username1@mybox:~$ ecryptfs-mount-private
Enter your login passphrase:
Inserted auth tok with sig [31bb03a50a74ed60] into the user session keyring
keyctl_search: Required key not available
Perhaps try the interactive 'ecryptfs-mount-private'
username1@mybox:~$ keyctl list @u
1 key in keyring:
899674517: --alswrv 1000 0 user: 31bb03a50a74ed60
username1@mybox:~$ cat .ecryptfs/Private.sig
a637b5831fc648bc
username1@mybox:~$ ls Private/
Access-Your-Private-Data.desktop README.txt
username1@mybox:~$ keyctl clear @u
username1@mybox:~$ ecryptfs-mount-private
Enter your login passphrase:
Inserted auth tok with sig [a637b5831fc648bc] into the user session keyring
username1@mybox:~$ ls Private/
[some private files]

Calling "keyctl clear @u" before calling "ecryptfs-mount-private" allows the directory to be mounted correctly... but I can't really do that during boot-up. :)

Thanks.

This bug is definitely NOT fixed in ecryptfs-utils - 87-0ubuntu1.

Still need to run "keyctl clear @u" to be able to do a second login with same user.

Please re-open it.

Ah, I see.

The problem still exists if you do not use encrypted filenames.

I couldn't reproduce before because I was only testing with encrypted filenames.

Dustin

This bug was fixed in the package ecryptfs-utils - 88-0ubuntu1

---------------
ecryptfs-utils (88-0ubuntu1) oneiric; urgency=low

  * src/utils/mount.ecryptfs_private.c:
    - reduce the window size for the TOCTOU race;
      does not entirely solve LP: #732628, which is going to need to be
      fixed in the kernel with some heavy locking
  * debian/control: update urls
  * src/utils/ecryptfs-mount-private: LP: #725862
    - fix ecryptfs-mount-private to insert only the fek, if filename
      encryption is disabled
 -- Dustin Kirkland <email address hidden> Tue, 24 May 2011 09:47:52 -0500

Hello Dustin,

Is a fix being worked on for when file names aren't encrypted? This is a bit of a show stopper for me with regard to upgrading to 11.04.

Thanks.

Uploaded ecryptfs-utils_87-0ubuntu1.1_source.changes to ppa:ecryptfs/ppa.

Could someone please test that and give me feedback? If it works for you, I'll push it through the SRU process. Thanks.

Hi Dustin,

Sorry for the delay in replying, I didn't get an email notification of your post :S

Anyway, I've tried your new version of ecryptfs and unfortunately it doesn't fix the problem for me :( . This is with encrypted filenames disabled.

Thanks for your efforts though.

Darren.

Another "me-too" for also fixing this on Lucid. Combined with bug #344878 it's creating some considerable misery. SSH/scp/rsync into a host with encrypted $HOME...

FWIW, the fix in:

http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/oneiric/ecryptfs-utils/oneiric/revision/70/src/utils/ecryptfs-mount-private#src/utils/ecryptfs-mount-private

doesn't prevent ecryptfs_insert_wrapped_passphrase_into_keyring() from inserting both fek and (a) fnek into the keyring.

even if filename encryption is turned off. But ecryptfs-umount-private only looks at the Private.sig contents, it doesn't remove the "fnek" key.

Hi Dustin,

Unfortunately 87-0ubuntu1.1~ppa1 from https://launchpad.net/~ecryptfs/+archive/ppa does *not* fix this for me:

mbp@grace% ecryptfs-mount-private
Enter your login passphrase:
Inserted auth tok with sig [9fbb5cb8ff9185bc] into the user session keyring
keyctl_search: Required key not available
Perhaps try the interactive 'ecryptfs-mount-private'

I can also confirm that Cinquero's comment in #16 "keyctl clear @u" does fix it.

Please disregard #23; I mis-traced the call hierarchy, plus the failure is more subtle when the specified fix is applied to the Licid package. I'll add the info in later comments once I have it all gathered.

So this bug has just been introduced to Maverick after today's upgrade of libecryptfs and ecrypts-utils. :S

Hmm, Bug #313812 was just fixed with an upload to Maverick that had been pending in Maverick Proposed for 22 weeks.

DarrenShare, if you log out, and log back in, are you able to access your data?

@Dustin, no it hangs (I get an error about accessing ICEAuthority if I wait long enough). The only way out is to log into a TTY and reboot. Same behaviour as in Natty.

Okay, I've *finally* triaged this and fixed it ;-)

This bug was fixed in the package ecryptfs-utils - 92-0ubuntu1

---------------
ecryptfs-utils (92-0ubuntu1) oneiric; urgency=low

  * src/libecryptfs/key_management.c: LP: #725862
    - fix nasty bug affecting users who do *not* encrypt filenames;
      the first login works, but on logout, only one key gets
      cleaned out; subsequent logins do not insert the necessary key
      due to an early "goto out"; this fix needs to be SRU'd
  * debian/rules: LP: #586281
    - fix perms on desktop mount file
  * src/pam_ecryptfs/pam_ecryptfs.c: LP: #838471
    - rework syslogging to be less noisy and note pam_ecryptfs
 -- Dustin Kirkland <email address hidden> Thu, 01 Sep 2011 16:25:03 -0500

Hello Anders, or anyone else affected,

Accepted ecryptfs-utils into natty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Hello Anders, or anyone else affected,

Accepted ecryptfs-utils into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Hello Anders, or anyone else affected,

Accepted ecryptfs-utils into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Hi Clint,

Sorry to say, this has not fixed the problem for me on Maverick.

Unfortunatelly, the problem persists on Lucid, too.

I also still have this problem on Maverick.

Hi everybody, thanks so much for testing and giving us feedback!

Can you all be more clear as to how this has failed in Maverick/Lucid?

There is a TEST CASE in the description, please provide your precise results of running through it.

I can confirm that on Lucid TEST CASE works. However, mounting after relogin doesn't work on my existing account. How to fix this situation? (without data loss :) )

Sorry, my fault. Everything works fine on Lucid now. Big Thanks!

Thanks for testing, Przemek!

@Clint, in my case the test case is irrelevant as it doesn't match my situation - fully encrypted home directories with unencrypted file names. In Maverick, the home directory not being mounted after log out and log in is still a problem.

Darren,

In that case, you have a different bug. Please file a new bug and
clearly delineate the reproduction procedures.

Thanks!
Dustin

Hi Dustin. Forgive me, but it's essentially the same bug except I'm using encrypted home directories rather than a single private directory.

This bug was fixed in the package ecryptfs-utils - 83-0ubuntu3.2.10.04.3

---------------
ecryptfs-utils (83-0ubuntu3.2.10.04.3) lucid-proposed; urgency=low

  * src/libecryptfs/key_management.c: LP: #725862
    - fix nasty bug affecting users who do *not* encrypt filenames;
      the first login works, but on logout, only one key gets
      cleaned out; subsequent logins do not insert the necessary key
      due to an early "goto out"
 -- Dustin Kirkland <email address hidden> Fri, 02 Sep 2011 17:47:02 -0500

Resetting verification tags, still needs verification in maverick/natty

I am having the same problem (ecryptfs without filename encryption does not work after first login); using Linux Mint 11 (=Ubuntu Natty 11.04) with ecryptfs-utils_87-0ubuntu1.2_amd64.

Problem presists after manual install of ecryptfs-utils_93-0ubuntu2_amd64 (from oneiric). It got even worse; no mount even at the first login.

I described this also on a forum, with shell transcripts, see http://forums.linuxmint.com/viewtopic.php?f=47&t=85707

Update: I updated the library as well to libecryptfs0_93-0ubuntu2 . Now it seems to work!

 (This is on Ubuntu Natty / Mint 11)

This bug was fixed in the package ecryptfs-utils - 87-0ubuntu1.3

---------------
ecryptfs-utils (87-0ubuntu1.3) natty-proposed; urgency=low

  * src/libecryptfs/key_management.c: LP: #725862
    - fix nasty bug affecting users who do *not* encrypt filenames;
      the first login works, but on logout, only one key gets
      cleaned out; subsequent logins do not insert the necessary key
      due to an early "goto out"
 -- Dustin Kirkland <email address hidden> Fri, 02 Sep 2011 17:47:19 -0500

This bug affects Ubuntu 10.10, Maverick Meerkat. Maverick has reached end-of-life and is no longer supported, so I am closing the bugtask for Maverick. Please upgrade to a newer version of Ubuntu.
More information here: https://lists.ubuntu.com/archives/ubuntu-announce/2012-April/000158.html