libecryptfs_key_mod_openssl.so does not exist in ecryptfs-utils

Also I have checked that in maverick amd64. The same.

Unfortunately, we're not building ecryptfs against ssl at this time, due to license incompatibilities (as noted below). I'm going to leave this bug open, though, and try and get those sorted out.

ecryptfs-utils (66-2) unstable; urgency=low

  * Removing auth-client-config support, no longer used.
  * Adding ecryptfs-utils recommends to keyutils.
  * Building without ssl, ecryptfs_key_mod_openssl.c has incompatible
    license (GPL-2+).
  * Building without pkcs11 helper, ecryptfs_key_mod_pkcs11_helper.c
    links against openssl and has incompatible license (GPL-2+).
  * Building without pkcs11 helper, ecryptfs_key_mod_tspi.c links
    against openssl and has incompatible license (GPL-2+).

 -- Daniel Baumann <email address hidden> Tue, 18 Nov 2008 20:02:00 +0100

How would I go about getting this committed fix or compiling
/usr/lib/ecryptfs/libecryptfs_key_mod_openssl.so myself?

There's not much information to be duckduckgo'ed about this, but I'd like to implement this module.

The fix is already committed and the module is already implemented.

You can build ecryptfs-utils from source. Pass --enable-openssl to ./configure to be sure that the OpenSSL module will be built. Then, copy the the key module to the appropriate place in /usr/lib.

I'm intentionally being vague with the instructions because I really don't want a lot of people to do this. It is sparingly tested, not supported, and you'll probably run into a handful of bugs. I don't recommend it at this time.

We're at 12.10 now. However, the module that should, according to the manual, be available "at a minimum", still hasn't made it to the main release.

Any comments about the stability and the chances of seeing this in this or the next release?

PS adding ppa:ecryptfs/ppa results in 404s, e.g.:
W: Failed to fetch http://ppa.launchpad.net/ecryptfs/ppa/ubuntu/dists/quantal/main/binary-amd64/Packages 404 Not Found

On 2012-12-13 14:01:50, Redsandro wrote:
> We're at 12.10 now. However, the module that should, according to the
> manual, be available "at a minimum", still hasn't made it to the main
> release.

Which man page? I don't see that stated in any of the 12.10 man pages.

> Any comments about the stability and the chances of seeing this in this
> or the next release?

Unfortunately, there are no plans to improve this feature in the near
term. It is a considerable amount of work, yet no developers have shown
interest in the feature.

Thanks for the reply.

> Which man page? I don't see that stated in any of the 12.10 man pages.

Sorry, I played with this at home (12.10) but I am at an old version (at work) now. :P I just assumed the manual was the same as here.

It's too bad there is little to no interest. Ecryptfs is really great technology. I am using it for encrypting mountable OTFE remote backups, and I like to use a simple password at the safe local site, yet have strong key based encryption on the files. Because, as the ecryptfs manual puts it (or used to put it): Cryptographic keys derived from passphrases are generally worthless.

It could be that I am using ecryptfs in a silly way, because otherwise, given the popularity of key+password based ssh login to servers for maintenance, one would think that typical devs would actually prefer keys over passwords.

Am I missing a trick? Is it possible to use a crazy password and store it in your keyring permanently so the ecryptfs will mount without a password dialog when logged in and keyring opened?

PS - I think ecryptfs-manager does exactly that - setting up passwordless mounting. But the 'kernel keyring' concept of ecryptfs-manager, as opposed to 'user keyring' scared me away of using it. I want to keep keys and secrets within my user, not something system-wide. But I guess terminology on this is not my strongsuit.

I just noticed that the ecryptfs manual itself still mentions the optional key that was removed from the ecryptfs-utils manual:

       openssl_keyfile=(filename)
              The filename should be the filename of a file containing an RSA SSL key.

We don't plan on shipping the OpenSSL key module in Ubuntu. While the licensing issues have been solved, the eCryptfs subsystem that communicates from kernel to userspace and back is incredibly slow and, IMO, not currently usable.