ecryptfs-utils does not work with Ubuntu 14.04, neither with 16.04

Bug #1328689 reported by Thiago Martins on 2014-06-10
70
This bug affects 13 people
Affects Status Importance Assigned to Milestone
eCryptfs
High
Dustin Kirkland 
ecryptfs-utils (Ubuntu)
High
Dustin Kirkland 
sddm (Ubuntu)
High
Unassigned

Bug Description

Guys,

The package ecryptfs-utils works with Ubuntu 12.04.4 (http://uec-images.ubuntu.com/releases/12.04/release/ubuntu-12.04-server-cloudimg-amd64-disk1.img) but it does not work with Ubuntu 14.04 (http://uec-images.ubuntu.com/releases/14.04/release/ubuntu-14.04-server-cloudimg-amd64-disk1.img).

The following procedure works:

1- Start a Instance using Ubuntu 12.04.4;

2- Run: "apt-get install ecryptfs-utils";

3- Run: "adduser --encrypt-home cofre1" - WORKS OKAY!

The following procedure does not works:

1- Start a Instance using Ubuntu 14.04;

2- Run: "apt-get install ecryptfs-utils";

3- Run: "adduser --encrypt-home cofre1" - ERROR!

Error messages (Ubuntu 14.04 - Trusty):

Console:
---
root@cofre-1:~# adduser --encrypt-home cofre1
Adding user `cofre1' ...
Adding new group `cofre1' (1001) ...
Adding new user `cofre1' (1001) with group `cofre1' ...
Creating home directory `/home/cofre1' ...
Setting up encryption ...

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************

Done configuring.

mount: No such file or directory
ERROR: Could not mount
adduser: `/usr/bin/ecryptfs-setup-private -b -u cofre1' returned error code 1. Exiting.
---

Kernel:
---
Jun 10 20:56:39 cofre-1 kernel: [ 227.431623] Could not find key with description: [f62693e62d5cd7c1]
Jun 10 20:56:39 cofre-1 kernel: [ 227.435401] process_request_key_err: No key
Jun 10 20:56:39 cofre-1 kernel: [ 227.435405] Could not find valid key in user session keyring for sig specified in mount option: [f62693e62d5cd7c1]
Jun 10 20:56:39 cofre-1 kernel: [ 227.441263] One or more global auth toks could not properly register; rc = [-2]
Jun 10 20:56:39 cofre-1 kernel: [ 227.441413] Error parsing options; rc = [-2]
---

As I said, with Ubuntu 12.04.4 it works like a charm... What am I missing with Ubuntu 14.04 ???

Regards,
Thiago

Related branches

lp:~rlaager/ecryptfs/fix-lp-1574174
Superseded for merging into lp:ecryptfs
Tyler Hicks: Needs Fixing on 2016-04-25
Thiago Martins (martinx) on 2014-06-10
description: updated

I'm using 14.04.1 for amd64 plain version and it behaves the same way :(

It fails with a new 14.04.1 installation and with several other 14.04.1 upgraded installations.

Greets.

Ben Butler-Cole (benbc) wrote :

Partial workaround: install a 12.04 system, create user(s) with encrypted home directory, upgrade to 14.04.

Thiago Martins (martinx) on 2014-11-16
summary: - ecryptfs-utils does not work with Ubuntu 14.04 Cloud Image
+ ecryptfs-utils does not work with Ubuntu 14.04.1

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ecryptfs-utils (Ubuntu):
status: New → Confirmed
Tyler Hicks (tyhicks) wrote :

I've figured out the cause for this bug. It happens when pam_keyinit is used. This happened with ssh based logins in this openssh upload:

  https://launchpad.net/ubuntu/+source/openssh/1:6.5p1-1

The use of pam_keyinit and the way that it creates a session keyring when logging in over ssh is keeping the eCryptfs kernel code from being able to find the mount key. ecryptfs-setup-private is ran as the root user. It executes ecryptfs-add-passphrase. which adds the user's mount key to root's user keyring. However, the root's user keyring is masked by the session keyring that was created earlier so the kernel cannot find the mount key when ecryptfs-setup-private executes the mount program.

WORKAROUND:

$ sudo keyctl link @u @s
$ sudo adduser --encrypt-home foo
$ sudo keyctl unlink @u @s

I'm not sure about the appropriate fix at this time.

Changed in ecryptfs:
importance: Undecided → High
status: New → Triaged
Changed in ecryptfs-utils (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → High
discord (colin.williams) wrote :

Still a bug over 1 year later in 14.04.2

sudo adduser --home /home/colin --ingroup adm --encrypt-home colin
Adding user `colin' ...
Adding new user `colin' (1001) with group `adm' ...
Creating home directory `/home/colin' ...
Setting up encryption ...

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.2 LTS
Release: 14.04
Codename: trusty

Done configuring.

mount: No such file or directory
ERROR: Could not mount
adduser: `/usr/bin/ecryptfs-setup-private -b -u colin' returned error code 1. Exiting.

Agree Colin, very disappointing that an easy to reproduce bug, have no attention at all.

It is a shame, specially for an LTS release!

However, the workaround that Tyler posted on #5 works for me.

Cheers!

summary: - ecryptfs-utils does not work with Ubuntu 14.04.1
+ ecryptfs-utils does not work with Ubuntu 14.04.2
TJ (tj) wrote :

Adding 'sddm' to the affected list after finding this issue when switching from lightdm to sddm (the Kubuntu display manager) on 15.10, and mounting an ecryptfs file-system on external storage using ecryptfs-recover-private.

Changed in sddm (Ubuntu):
status: New → Triaged
importance: Undecided → High
Tyler Hicks (tyhicks) wrote :

I've verified that the pam config files shipped with sddm call out to pam_keyinit.so with the 'force' option. This causes a new session keyring to be created for each login process.

I hope it gets fixed for 16.04... :-/

summary: - ecryptfs-utils does not work with Ubuntu 14.04.2
+ ecryptfs-utils does not work with Ubuntu 14.04.3
Vincent Hugot (vincent-hugot) wrote :

Still a bug in 15.10.

Thiago Martins (martinx) wrote :

This is still a BUG on Xenial!

---
root@xenial-1:~# apt install ecryptfs-utils

root@xenial-1:~# adduser --encrypt-home cofre1
Adding user `cofre1' ...
Adding new group `cofre1' (1001) ...
Adding new user `cofre1' (1001) with group `cofre1' ...
Creating home directory `/home/cofre1' ...
Setting up encryption ...

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************

Done configuring.

mount: mount(2) failed: No such file or directory
ERROR: Could not mount
adduser: `/usr/bin/ecryptfs-setup-private -b -u cofre1' returned error code 1. Exiting.

root@xenial-1:~# lsb_release -ra
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Xenial Xerus (development branch)
Release: 16.04
Codename: xenial
---

summary: - ecryptfs-utils does not work with Ubuntu 14.04.3
+ ecryptfs-utils does not work with Ubuntu 14.04, neither with 16.04
Changed in ecryptfs:
status: Triaged → In Progress
Changed in ecryptfs-utils (Ubuntu):
status: Triaged → In Progress
Changed in ecryptfs:
assignee: nobody → Dustin Kirkland  (kirkland)
Changed in ecryptfs-utils (Ubuntu):
assignee: nobody → Dustin Kirkland  (kirkland)
Changed in ecryptfs:
status: In Progress → Fix Committed
Changed in ecryptfs-utils (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ecryptfs-utils - 111-0ubuntu1

---------------
ecryptfs-utils (111-0ubuntu1) xenial; urgency=medium

  * src/utils/ecryptfs-setup-private: LP: #1328689
    - fix a long standing bug, where setting up an encrypted private,
      encrypted home, or migrating to an encrypted home did not work
      correctly over ssh sessions
    - the root cause of the bug is some complexity in the handling of
      user keyrings and session keyrings
    - the long term solution would be to correctly use session keyrings
    - the short term solution is to continue linking user and session
      keyrings
  * xenial

 -- Dustin Kirkland <email address hidden> Fri, 26 Feb 2016 17:58:16 -0600

Changed in ecryptfs-utils (Ubuntu):
status: Fix Committed → Fix Released
Thiago Martins (martinx) wrote :

Wheeeee!!! It is working! Thank you Dustin! :-D

Xenial is going to be great! YAY!

Changed in ecryptfs:
status: Fix Committed → Fix Released

Not fixed on 14.04.5

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers