~/snap and fscrypt

I'm not sure I understand Go enough to provide a debdiff for this one.

Related fix: https://github.com/google/fscrypt/pull/148

Related issue: https://github.com/google/fscrypt/issues/182

Still not working. "Required key not available (1)"

I worked around this issue by moving my snap directory to /home/$USER-snap and creating a symlink from /home/$USER/snap. Not the most pretty solution, but better than data loss.

nafallo@wendigo:~$ signal-desktop
cannot create user data directory: /home/nafallo/snap/signal-desktop/309: Not a directory

that didn't work either...

so that means snap refresh works with the unencrypted symlink, but not running the actual program from the snap.

Unfortunately, policy v2 was introduced in newer version of fscrypt than currently available in focal [1].

I've had a similar issue to yours during snap refresh. I remember I had to logout the user and run something similar to

sudo fscrypt purge "$(findmnt -n -o TARGET --target /home/<user>)" --user <user>
sudo fscrypt unlock /home/<user> --user root
sudo snap refresh

from a second user which was NOT using home encryption.

[1] https://github.com/google/fscrypt/releases/tag/v0.2.6

Good point. I'm building a newer version of fscrypt in ppa:nafallo/magicalforest and will try to re-encrypt my home directory with a new policy.

In addition the new package FTBFS on Focal until a newer golang-golang-x-sys-dev have landed. The one currently sitting in focal-proposed works. In addition, there is a new upstream release of fscrypt, 0.2.7, that automatically configures v2 policies on new fscrypt setups on newer kernels.

nafallo@wendigo:~$ snap refresh
signal-desktop 1.33.1 from Snapcrafters refreshed

nafallo@wendigo:~$ fscrypt --version
fscrypt version v0.2.7

nafallo@wendigo:~$ fscrypt status .|grep policy
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2

Confirmed working with newer fscrypt and v2 policies.

My firefox snap seemed to stop refreshing about the time I updated to Ubuntu 23.10. I have a home directory that was encrypted with fscrypt and has the v1 policies. I first tried setting "use_fs_keyring_for_v1_policies": true in /etc/fscrypt.conf but this prevented me from logging into a gnome session. I then tried the symlink idea from nafallo above and came to the same conclusion "so that means snap refresh works with the unencrypted symlink, but not running the actual program from the snap.", i.e. I could refresh the snaps with the symlink but then had to restore the directory and remove the symlink to use the apps. I am not sure what the solution is if we can't/don't re-encrypt with a new policy.