installer in LVM mode sets up broken encrypted swap, using duplicate unencrypted swap

Bug #1453738 reported by Denny on 2015-05-11
454
This bug affects 77 people
Affects Status Importance Assigned to Milestone
eCryptfs
Undecided
Unassigned
ecryptfs-utils (Ubuntu)
High
Martin Pitt
Trusty
Medium
Unassigned
Utopic
High
Unassigned
Vivid
High
Unassigned
Wily
High
Martin Pitt

Bug Description

When installing Ubuntu with "Use LVM" (but not encryption!), and "encrypt my home dir", the installer adds the original unencrypted swap to fstab. Then, ecryptfs-setup-swap keeps that, and additionally configures an encrypted swap via an UUID and without offset (which would trigger bug 953875 again!), so that you end up with *two* swap configs for one and the same partition, once unencrypted and once encrypted:

fstab:
/dev/mapper/ubuntu--vg-swap_1 none swap sw 0 0
/dev/mapper/cryptswap1 none swap sw 0 0

crypttab:
cryptswap1 UUID=f636d7ef-9405-482d-a90a-5ba67026fcfb /dev/urandom swap,offset=1024,cipher=aes-xts-plain64

(UUID is for ubuntubuntu--vg-swap_1). This can't work, as the unencrypted one is faster, so trying to set up the encrypted one fails.

SRU TEST CASE:
--------------
- Install 15.04 with LVM (no encryption) and select "encrypt my home dir"
- Boot will ask you for a (nonexisting) passphrase for the swap partition; press Enter
- Install the update
- Reboot and verified that the bogus passphrase question is gone
- Verify that "swapon -s" has a swap partition (usually dm-2), and that /dev/mapper/cryptswap1 points to that. It should NOT be the unencrypted /dev/mapper/ubuntu--vg-swap_1!.

Denny (denny-klessens) wrote :
description: updated
description: updated
Denny (denny-klessens) wrote :
Denny (denny-klessens) wrote :
Denny (denny-klessens) wrote :
Martin Pitt (pitti) wrote :

OK, so you actually have one unencrypted swap partition on an LVM LV:
/dev/mapper/ubuntu--vg-swap_1: UUID="bfa46f63-6942-4d4b-b1ce-b7c3df4f3818" TYPE="swap"

and your /etc/fstab configures just that. But your crypttab configures an encrypted swap device which isn't in fstab:

cryptswap1 /dev/dm-1 /dev/urandom swap,cipher=aes-cbc-essiv:sha256

That's presumably what's causing the password prompt. Let's check which LV dm-1 actually is, can you please get me the output of "ls -lR /dev/mapper"? I am 95% sure it's /dev/mapper/ubuntu--vg-swap_1 and thus this swap partition is used as *both* an encrypted and unencrypted one, and the former fails because of the latter:

mei 11 07:32:36 Denny-HP systemd-cryptsetup[748]: Set cipher aes, mode cbc-essiv:sha256, key size 256 bits for device /dev/dm-1.
mei 11 07:32:36 Denny-HP systemd-cryptsetup[748]: Failed to activate with key file '/dev/urandom': Device or resource busy

So this looks like an LVM variant of bug 953875, not of bug 1447282; this looks independent of GPT.

Thanks!

Changed in ecryptfs-utils (Ubuntu):
status: New → Incomplete
Denny (denny-klessens) wrote :

ls -lR /dev/mapper
/dev/mapper:
total 0
crw------- 1 root root 10, 236 mei 12 07:26 control
lrwxrwxrwx 1 root root 7 mei 12 07:26 ubuntu--vg-root -> ../dm-0
lrwxrwxrwx 1 root root 7 mei 12 07:26 ubuntu--vg-swap_1 -> ../dm-1

Denny (denny-klessens) wrote :
Nobuto Murata (nobuto) wrote :

I can confirm this issue with daily-live image Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20150512) using:
 * UEFI
 * GPT
 * encrypted LVM(LUKS)
 * encrypted home dir(ecryptfs)

Changed in ecryptfs-utils (Ubuntu):
status: Incomplete → Confirmed
Rowdy van der Veen (rowdy) wrote :

I just registered to confirm this issue.
I just did a clean install of 15.04 and let Ubuntu use the entire drive. LVM was checked and encrypt home folder.
I did not select full disk encryption.

After setup completed, I was asked for the password of the swap partition, which just an (enter) bypassed.
After that, I am prompted for the password every time I install updates (just enter makes it go away again).
Do I need to post more info or are these details enough to reproduce the issue?

Rowdy van der Veen (rowdy) wrote :

This is my fdisk -l output:

[sudo] password for rowdy:

Disk /dev/sda: 111,8 GiB, 120034123776 bytes, 234441648 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x6fb7e2e7

Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 499711 497664 243M 83 Linux
/dev/sda2 501758 234440703 233938946 111,6G 5 Extended
/dev/sda5 501760 234440703 233938944 111,6G 8e Linux LVM

Disk /dev/mapper/ubuntu--vg-root: 109,8 GiB, 117893496832 bytes, 230260736 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/mapper/ubuntu--vg-swap_1: 1,8 GiB, 1879048192 bytes, 3670016 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

Vindicator (vindicator) wrote :

I too just did a fresh install in the same manner and am noticing this effect.
I did a search because it was getting annoying: eg. "$ sudo service ufw restart" resulted in "Please enter passphrase for disk ubuntu--vg-swap_1 (cryptswap1) on none! ****************"

It just didn't seem right and I'm glad to find out it is simply a bug.

Bruno Munoz (bruno-bmunoz) wrote :

Same issue here.
Fresh ubuntu 15.04 install
choose encrypt disk (bug exist also without full disk encryption, I have also test it, same issue)
choose encrypt home dir
choose LVM
=> auth is requeted for disk encryption (normal), but after also for cryptswap
terminals command regulary prompt :
"Please enter passphrase for disk ubuntu--vg-swap_1 (cryptswap1) on none!"

annoying is that sometime, it prompt on background and "lock" the boot process, waiting to enter anything
to unlock =>hit ESC to show boot info, you can see the
"Please enter passphrase for disk ubuntu--vg-swap_1 (cryptswap1) on none!"
=> hit enter, the boot continue, and you arrive on login.

Bruno Munoz (bruno-bmunoz) wrote :
Bruno Munoz (bruno-bmunoz) wrote :

$ ls -lR /dev/mapper/
/dev/mapper/:
total 0
crw------- 1 root root 10, 236 mai 27 07:44 control
lrwxrwxrwx 1 root root 7 mai 27 07:44 sda5_crypt -> ../dm-0
lrwxrwxrwx 1 root root 7 mai 27 07:44 ubuntu--vg-root -> ../dm-1
lrwxrwxrwx 1 root root 7 mai 27 07:44 ubuntu--vg-swap_1 -> ../dm-2

Bruno Munoz (bruno-bmunoz) wrote :

the important part in journal:

mai 27 07:44:51 user-VirtualBox systemd[1]: Starting Cryptography Setup for sda5_crypt...
mai 27 07:44:51 user-VirtualBox systemd-cryptsetup[427]: Volume sda5_crypt already active.
mai 27 07:44:51 user-VirtualBox systemd[1]: Started Cryptography Setup for sda5_crypt.
mai 27 07:44:51 user-VirtualBox systemd[1]: Found device /dev/mapper/ubuntu--vg-swap_1.
mai 27 07:44:51 user-VirtualBox systemd[1]: Found device /dev/disk/by-uuid/f636d7ef-9405-482d-a90a-5ba67026fcfb.
mai 27 07:44:51 user-VirtualBox systemd[1]: Activating swap /dev/mapper/ubuntu--vg-swap_1...
mai 27 07:44:51 user-VirtualBox kernel: Adding 1572860k swap on /dev/mapper/ubuntu--vg-swap_1. Priority:-1 extents:1 across:1572860k FS
mai 27 07:44:51 user-VirtualBox systemd[1]: Activated swap /dev/mapper/ubuntu--vg-swap_1.
...
mai 27 07:44:53 user-VirtualBox systemd[1]: Starting Cryptography Setup for cryptswap1...
mai 27 07:44:53 user-VirtualBox systemd-cryptsetup[462]: Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/disk/by-uuid/f636d7ef-9405-482d-a90a-5ba67026fcfb.
mai 27 07:44:53 user-VirtualBox systemd-cryptsetup[462]: Failed to activate with key file '/dev/urandom': Device or resource busy

Bruno Munoz (bruno-bmunoz) wrote :

$ sudo swapon -a
swapon: stat failed /dev/mapper/cryptswap1: No such file or directory

summary: - Keeps asking for cryptswap password when booting (GPT + LVM + encrypted
- home dir)
+ Keeps asking for cryptswap password when booting (LVM + encrypted home
+ dir)

I've been doing some testing and am finding it isn't LVM related.
I'll be doing further filesystem related tests to see what ends up working.

Failed:
UEFI, GPT, LVM, Encrypted Disk, Encrypted Home
UEFI, GPT, LVM, Encrypted Home
UEFI, GPT, Encrypted Home

Results from UEFI, GPT:
*****
lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 1.4T 0 disk
├─sda1 8:1 0 512M 0 part /boot/efi
├─sda2 8:2 0 1.4T 0 part /
└─sda3 8:3 0 7.5G 0 part [SWAP]
$ journalctl | grep swap
May 30 23:35:17 - systemd[1]: Activating swap Swap Partition...
May 30 23:35:17 - systemd[1]: Activated swap Swap Partition.
May 30 23:35:17 - kernel: Adding 7813116k swap on /dev/sda3. Priority:-1 extents:1 across:7813116k FS
May 30 23:35:18 - systemd[1]: Starting Cryptography Setup for cryptswap1...
May 30 23:35:45 - systemd[1]: <email address hidden>: main process exited, code=exited, status=1/FAILURE
May 30 23:35:45 - systemd[1]: Failed to start Cryptography Setup for cryptswap1.
May 30 23:35:45 - systemd[1]: Dependency failed for dev-mapper-cryptswap1.device.
May 30 23:35:45 - systemd[1]: Dependency failed for /dev/mapper/cryptswap1.
May 30 23:35:45 - systemd[1]: Job swap.target/start failed with result 'dependency'.
May 30 23:35:45 - systemd[1]: Job dev-mapper-cryptswap1.swap/start failed with result 'dependency'.
May 30 23:35:45 - systemd[1]: Job dev-mapper-cryptswap1.device/start failed with result 'dependency'.
May 30 23:35:45 - systemd[1]: Unit <email address hidden> entered failed state.
May 30 23:35:45 - systemd[1]: <email address hidden> failed.
May 30 23:35:46 - systemd[1]: Starting Cryptography Setup for cryptswap1...
$ swapon -s
Filename Type Size Used Priority
/dev/sda3 partition 7813116 0 -1
*****

Next I'm going to switch the 1.5TB to MBR instead of GPT and incrementally add options back in.

Vindicator (vindicator) wrote :

Yuck, that's not working well at all.
Seems the installer wants to make the disk GPT.

To even change it to MBR, I'd have to "zap" the GPT info and reboot. Without zapping, using fdisk to change it to MSDOS, rebooting, and it would revert back to GPT with all of the partitions.

Then after zapping, setting up the partitions, selecting the custom install, GRUB-2 ends up popping up on reboot instead of going into Ubuntu, and I'm not familiar enough with GRUB to set it up from the shell.
So, knowing it DID install under MBR, I went back to reinstall and let the installer set it up in it's own way, hoping it would still use MBR... nope, it switched it to GPT.

I had looked at Ubuntu on a VM years back and thought it unfriendly, as well as a few other dists, but figured by now it would have been clean. Boy am I mistaken.

Vindicator (vindicator) wrote :

Mmmm, ya, forget about MBR. Just wasn't going to get it without a good bit of effort I think.
Also noticed that I kept having to reboot because LiveCD was using the sda swap partition. Once I swapoff, I wouldn't have to reboot.

So going back to a fresh install with UEFI, GPT, LVM, Encrypted Drive and Home, I thought I'd post the pertinent journalctl output containing references to swap since I didn't see it already posted:
*****
$ journalctl | grep swap
May 31 03:46:40 ubuntu os-prober[7441]: debug: running /usr/lib/os-probes/50mounted-tests on /dev/mapper/ubuntu--vg-swap_1
May 31 03:46:40 ubuntu 50mounted-tests[7447]: debug: /dev/mapper/ubuntu--vg-swa_1 is a swap partition; skipping
May 31 03:46:40 ubuntu ubiquity[2983]: Device /dev/mapper/ubuntu--vg-swap_1 not found in os-prober output
May 31 03:47:21 ubuntu partman-lvm[8261]: Logical volume "swap_1" successfully removed
May 31 03:47:32 ubuntu partman-lvm[11536]: Logical volume "swap_1" created
May 31 03:47:58 ubuntu kernel: Adding 7815164k swap on /dev/mapper/ubuntu--vg-swap_1. Priority:-1 extents:1 across:7815164k FS
May 31 03:48:15 ubuntu ubiquity[16198]: INFO: Setting up swap: [/dev/dm-2]
May 31 03:48:15 ubuntu ubiquity[16198]: INFO: Successfully encrypted swap!
May 31 03:51:28 ubuntu ubiquity[15362]: * cryptswap1 (starting)..
May 31 03:51:34 ubuntu ubiquity[15362]: * cryptswap1 (started)...
May 31 03:51:34 ubuntu kernel: Adding 7814652k swap on /dev/mapper/cryptswap1. Priority:-1 extents:1 across:7814652k FS
May 31 03:53:30 ubuntu ubiquity[20109]: cryptsetup: WARNING: target cryptswap1 has a random key, skipped
May 31 03:54:28 ubuntu os-prober[31264]: debug: running /usr/lib/os-probes/50mounted-tests on /dev/mapper/ubuntu--vg-swap_1
May 31 03:54:28 ubuntu 50mounted-tests[31270]: debug: /dev/mapper/ubuntu--vg-swap_1 is a swap partition; skipping
May 31 03:54:38 ubuntu os-prober[32462]: debug: running /usr/lib/os-probes/50mounted-tests on /dev/mapper/ubuntu--vg-swap_1
May 31 03:54:38 ubuntu 50mounted-tests[32468]: debug: /dev/mapper/ubuntu--vg-swap_1 is a swap partition; skipping
May 31 03:56:33 ubuntu ubiquity[16452]: cryptsetup: WARNING: target cryptswap1 has a random key, skipped
*****

Martin Pitt (pitti) on 2015-06-01
tags: added: systemd-boot
Martin Pitt (pitti) wrote :

@danny: thanks, so this confirms the issue. Please either drop /etc/crypttab if you want to keep the unencrypted swap, or drop /dev/mapper/ubuntu--vg-swap from /etc/fstab and uncomment #/dev/mapper/cryptswap1. You can't have both. Do you still know how you set that up? In particular, whether you wrote /etc/fstab in that way, or it was set up by some tool? Thanks!

summary: - Keeps asking for cryptswap password when booting (LVM + encrypted home
- dir)
+ Keeps asking for cryptswap password with using the same swap partition
+ encrypted and unencrypted

Bruno's situation is very similar:

blkid:
/dev/mapper/ubuntu--vg-swap_1: UUID="f636d7ef-9405-482d-a90a-5ba67026fcfb" TYPE="swap"

fstab:
/dev/mapper/ubuntu--vg-swap_1 none swap sw 0 0
/dev/mapper/cryptswap1 none swap sw 0 0

crypttab:
cryptswap1 UUID=f636d7ef-9405-482d-a90a-5ba67026fcfb /dev/urandom swap,offset=1024,cipher=aes-xts-plain64

This just simply can't work.

Martin Pitt (pitti) wrote :

I can reproduce this with comment 9. So the ecryptfs-setup-swap script fails to disable the original unencrypted swap, and it also needs to add offset= to avoid bug 953875 again. Right now we use unencrypted swap in this scenario, which isn't intended, and get this annoying effect.

Changed in ecryptfs-utils (Ubuntu):
importance: Undecided → High
status: Confirmed → Triaged
description: updated
information type: Public → Public Security
Martin Pitt (pitti) on 2015-06-12
summary: - Keeps asking for cryptswap password with using the same swap partition
- encrypted and unencrypted
+ installer in LVM mode sets up broken encrypted swap, using duplicate
+ unencrypted swap
affects: systemd → ecryptfs
Martin Pitt (pitti) on 2015-06-12
Changed in ecryptfs-utils (Ubuntu Wily):
milestone: none → ubuntu-15.07
Changed in ecryptfs-utils (Ubuntu Trusty):
milestone: none → ubuntu-14.04.3
importance: Undecided → High
Changed in ecryptfs-utils (Ubuntu Utopic):
importance: Undecided → High
Changed in ecryptfs-utils (Ubuntu Vivid):
importance: Undecided → High
Changed in ecryptfs-utils (Ubuntu Trusty):
status: New → Triaged
Changed in ecryptfs-utils (Ubuntu Utopic):
status: New → Triaged
Changed in ecryptfs-utils (Ubuntu Vivid):
status: New → Triaged
Martin Pitt (pitti) wrote :

We need to fix existing stables at least, including trusty. Even though upstart doesn't give you a hint/error about the broken swap configuration, we are still using unencrypted swap there unintentionally. For an SRU we need to extend our horrible ecryptfs postinst hack to detect this situation, apply the "offset=" to crypttab, and comment out the unencrypted swap from /etc/fstab.

Given that we have shipped broken swap partitions in pretty much every scenario with ecryptfs (bug 953875, this bug, and to a lesser degree bug 1447282), and static swap partitions are also inflexible and unnecessary on most modern hardware, we should also consider (for wily and later) to entirely stop configuring them, and consider other solutions like "swapspace".

Dustin Kirkland  (kirkland) wrote :

Please, please, please disable swap entirely on Ubuntu (wily) or later, and instruct people to 'sudo apt-get install swapspace' if they simply can't live without swap.

I confirm symptoms using fresh install of curernt Ubuntu 15.04 desktop amd64 .iso installed using VirtualBox VMDK.

When I open a terminal and do "sudo apt-get update && sudo apt-get upgrade", then apt runs as expected, but it prompts for the swap password many times.

Daniel Convissor (convissor) wrote :

Confirming problem and fix.

Installed Ubuntu 15.04 desktop amd64 from standard ISO downloaded about a week ago. Chose to encrypt whole drive and encrypt home directory. When running apt-get upgrade, was getting asked for the crypt drive password over and over.

Commented out the /dev/mapper/ubuntu--vg-swap_1 line in /etc/fstab then rebooted. This problem went away.

A scripted way to comment out the offending fstab line is part of my Ubuntu install script at https://github.com/convissor/ubuntu_laptop_installation/blob/15.04/setup.sh

Eric Phetteplace (ericp-l) wrote :

This is fixed on my machine. Thanks for your help!

Martin Pitt (pitti) wrote :

Notes for myself, please ignore.

This resets what ecryptfs-setup-swap does and re-runs it, for testing a fixed version:

sudo sed -i '/cryptswap/d' /etc/fstab /etc/crypttab && sudo sh -ex /usr/bin/ecryptfs-setup-swap --force; echo "---- fstab ---"; grep swap /etc/fstab; echo "--- crypttab ----"; cat /etc/crypttab; echo "--- swap stat ---"; swapon -s

The problem is in the loop that tries to comment out existing swap from /etc/fstab: It only checks for UUID= and the resolved name like /dev/dm-1, but it does not take any symlinks like "/dev/mapper/ubuntu--vg-swap_1 -> ../dm-1" into account.

This can be fixed with

--- /usr/bin/ecryptfs-setup-swap 2015-03-28 01:37:38.000000000 +0100
+++ ecryptfs-setup-swap 2015-07-09 08:51:38.554860202 +0200
@@ -149,7 +149,9 @@
 for swap in $swaps; do
  info `gettext "Setting up swap:"` "[$swap]"
  uuid=$(blkid -o value -s UUID $swap)
- for target in "UUID=$uuid" $swap; do
+ # /etc/fstab might use a symlink like /dev/mapper/ubuntu--vg-swap_1
+ links=$(for d in $(udevadm info --query=symlink -n /dev/dm-1); do echo /dev/$d; done)
+ for target in "UUID=$uuid" $swap $links; do
   if [ -n "$target" ] && grep -qs "^$target\s\+" /etc/fstab; then
    sed -i "s:^$target\s\+:\#$target :" /etc/fstab
    warn "Commented out your unencrypted swap from /etc/fstab"

This then produces

---- fstab ---
#/dev/mapper/ubuntu--vg-swap_1 none swap sw 0 0
/dev/mapper/cryptswap1 none swap sw 0 0
--- crypttab ----
cryptswap1 UUID=ddec94de-8a98-4e95-bf76-a01e79029f35 /dev/urandom swap,offset=1024,cipher=aes-xts-plain64

which works fine:

lrwxrwxrwx 1 root root 7 Jul 9 08:55 /dev/mapper/cryptswap1 -> ../dm-2

$ sudo swapon -s
Filename Type Size Used Priority
/dev/dm-2 partition 2096636 0 -1

Now we need to clean this up on upgrades. The trick there is to avoid reintroducing bug 953875, from installations which don't have the "offset=" in crypttab.

Martin Pitt (pitti) on 2015-07-09
Changed in ecryptfs-utils (Ubuntu Wily):
status: Triaged → In Progress
assignee: nobody → Martin Pitt (pitti)
Martin Pitt (pitti) wrote :

Utopic is EOL in two weeks, let's not bother.

Changed in ecryptfs-utils (Ubuntu Utopic):
status: Triaged → Won't Fix
Martin Pitt (pitti) wrote :

I just did an LVM+ecryptfs installation on trusty, and it turns out that the even bigger breakage of bug 953875 trumps this bug -- i. e. in trusty you have a wiped /dev/mapper/ubuntu--vg-swap_1 due to the ubiquity part of that bug, thus the device in /etc/crypttab is invalid, and the invalid /etc/fstab mount is displayed quickly by mountall (in plymouth) but does not block the boot. Thus there is no security issue for trusty, just no swap and wasted disk space. Once we fix bug 953875 in trusty this one should get fixed as well, though.

Changed in ecryptfs-utils (Ubuntu Trusty):
importance: High → Medium
description: updated
Martin Pitt (pitti) wrote :

Wily fix uploaded.

Changed in ecryptfs-utils (Ubuntu Wily):
status: In Progress → Fix Committed
Martin Pitt (pitti) wrote :

This is the debdiff for vivid which I just uploaded. I verified that it repairs /etc/fstab and leads to a correctly booting system with encrypted swap for a vivid LVM+ecryptfs installation. It also behaves sufficiently correctly for an upgrade where the swap partition has been wiped by ubiquity from bug 953875.

Changed in ecryptfs-utils (Ubuntu Vivid):
status: Triaged → In Progress
description: updated
tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ecryptfs-utils - 107-0ubuntu3

---------------
ecryptfs-utils (107-0ubuntu3) wily; urgency=medium

  * Rename libecryptfs0 to libecryptfs1 and adjust the packaging. It has
    actually shipped libecryptfs.so.1 since at least trusty. Add
    C/R/P: libecryptfs0 for smoother upgrades, this needs to be kept until
    after 16.04 LTS.

ecryptfs-utils (107-0ubuntu2) wily; urgency=medium

  * Add setup-swap-check-links.patch: When commenting out existing swap, also
    consider device symlinks like /dev/mapper/ubuntu--vg-swap_1 or
    /dev/disks/by-uuid/ into account. Fixes broken cryptswap under LVM and
    manual setups. (LP: #1453738)
  * debian/ecryptfs-utils.postinst: On upgrade, uncomment underlying
    unencrypted swap partitions that are referred to by a device link when
    crypttab and fstab have a "cryptswap*" device referring to them.

 -- Martin Pitt <email address hidden> Thu, 09 Jul 2015 12:20:47 +0200

Changed in ecryptfs-utils (Ubuntu Wily):
status: Fix Committed → Fix Released

Hello Denny, or anyone else affected,

Accepted ecryptfs-utils into vivid-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ecryptfs-utils/107-0ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ecryptfs-utils (Ubuntu Vivid):
status: In Progress → Fix Committed
tags: added: verification-needed
Vindicator (vindicator) wrote :

How does one test this when it happens during installation? Does the 15.04 installer ISO get updated? Can we specify the Live Installer flash drive to apply the package via "dpkg" or "apt-get"?

Martin Pitt (pitti) wrote :

For the SRU the step that should be tested most is upgrading an existing broken install. That should fix up /etc/fstab. I'm not sure how to teach the installers "install updates" option to also install from -proposed.

Tobias Birkefeld (whine) wrote :

Tested the fix by upgrading an exisiting broken install. All good. Following message was shown:
Disabling unencrypted swap device /dev/mapper/ubuntu--gnome--vg-swap_1 in /etc/fstab to enable cryptswap1

/etc/fstab was fixed.

tags: added: verification-done
removed: verification-needed
Tobias Birkefeld (whine) wrote :

sorry, forgot some infos:
tested package ecryptfs-utils version 107-0ubuntu1.2
updated from ecryptfs-utils version 107-0ubuntu1.1

Bruno Munoz (bruno-bmunoz) wrote :

# sudo apt-get install ecryptfs-utils/vivid-proposed
Reading package lists... Done
Building dependency tree
Reading state information... Done
Selected version '107-0ubuntu1.2' (Ubuntu:15.04/vivid-proposed [amd64]) for 'ecryptfs-utils'
Suggested packages:
  opencryptoki zescrow-client
The following packages will be upgraded:
  ecryptfs-utils
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/105 kB of archives.
After this operation, 4 096 B of additional disk space will be used.
(Reading database ... 271391 files and directories currently installed.)
Preparing to unpack .../ecryptfs-utils_107-0ubuntu1.2_amd64.deb ...
Unpacking ecryptfs-utils (107-0ubuntu1.2) over (107-0ubuntu1.1) ...
Processing triggers for man-db (2.7.0.2-5) ...
Setting up ecryptfs-utils (107-0ubuntu1.2) ...
Disabling unencrypted swap device /dev/mapper/ubuntu--vg-swap_1 in /etc/fstab to enable cryptswap1

=> entry has been removed from fstab
confirmed fix is ok

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ecryptfs-utils - 107-0ubuntu1.2

---------------
ecryptfs-utils (107-0ubuntu1.2) vivid-proposed; urgency=medium

  * Add setup-swap-check-links.patch: When commenting out existing swap, also
    consider device symlinks like /dev/mapper/ubuntu--vg-swap_1 or
    /dev/disks/by-uuid/ into account. Fixes broken cryptswap under LVM and
    manual setups. (LP: #1453738)
  * debian/ecryptfs-utils.postinst: On upgrade, uncomment underlying
    unencrypted swap partitions that are referred to by a device link when
    crypttab and fstab have a "cryptswap*" device referring to them.

 -- Martin Pitt <email address hidden> Thu, 09 Jul 2015 09:04:27 +0200

Changed in ecryptfs-utils (Ubuntu Vivid):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for ecryptfs-utils has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Still broken on 15.04 GPT + encrypted home directory install.

Changed in ecryptfs-utils (Ubuntu Wily):
milestone: ubuntu-15.07 → none
Changed in ecryptfs-utils (Ubuntu Trusty):
milestone: ubuntu-14.04.3 → ubuntu-14.04.4
Changed in ecryptfs-utils (Ubuntu Vivid):
milestone: none → vivid-updates
Bob Merhebi (bobmerhebi) wrote :

Will this be fixed for 14.04?

CrazySky (makarovdenis11) wrote :

Yea, when will be on 14.04?

Vincenzoml (vincenzoml) wrote :

This bug is showing up again in 16.04.

Also showing for me in Ubuntu 16.06, in boot and update terminal

Martin Pitt (pitti) wrote :

@Alexander: Please file a new bug report for 16.04, including your /etc/fstab, /etc/crypttab, and the output of "sudo blkid".

I have had this for a long long while
So I will post here ...
**********
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/sda9 during installation
UUID=9516cab7-32d5-463b-9a99-2c1bf02b5fdb / ext4 errors=remoun$
# /boot was on /dev/sda8 during installation
UUID=52680116-7ccf-44ff-a5f1-463956e30599 /boot ext2 defaults $
# /boot/efi was on /dev/sda1 during installation
UUID=DE4E-245D /boot/efi vfat umask=0077 0 1
# swap was on /dev/sda10 during installation
# uncomment below per askubuntu 616663?
#UUID=89d05b04-6d5a-45c8-bfe8-038c5cc4be7b none swap sw $
*******
cryptswap1 UUID=89d05b04-6d5a-45c8-bfe8-038c5cc4be7b /dev/urandom swap,offset=1$
******
/dev/sda1: LABEL="SYSTEM_DRV" UUID="DE4E-245D" TYPE="vfat" PARTLABEL="EFI system partition" PARTUUID="fa3ebedc-6a3c-4c28-8f53-4a9588ff9cf2"
/dev/sda2: PARTLABEL="Microsoft reserved partition" PARTUUID="090c64a5-4e69-4b14-9bd5-f33d20f7e39c"
/dev/sda3: LABEL="Windows" UUID="CCD45187D4517524" TYPE="ntfs" PARTLABEL="Basic data partition" PARTUUID="fba026e5-cd85-4c4b-b491-20911a75b3a4"
/dev/sda4: LABEL="LENOVO" UUID="225C0D1F5C0CEEFB" TYPE="ntfs" PARTLABEL="Basic data partition" PARTUUID="f37cbed8-7a33-46e7-a166-389751ebc245"
/dev/sda5: LABEL="WINRE_DRV" UUID="988E5EF48E5ECB00" TYPE="ntfs" PARTLABEL="Basic data partition" PARTUUID="ffdb1a41-6b21-424e-82ab-28c6e3acfe30"
/dev/sda6: LABEL="LENOVO_PART" UUID="22E662F4E662C79D" TYPE="ntfs" PARTLABEL="Basic data partition" PARTUUID="abbe5d86-8929-43ea-81bc-0e020e9bbc44"
/dev/sda7: LABEL="LRS_ESP" UUID="1065-1475" TYPE="vfat" PARTLABEL="Basic data partition" PARTUUID="51b5372f-5c24-4367-810f-2e36848b50eb"
/dev/sda8: UUID="52680116-7ccf-44ff-a5f1-463956e30599" TYPE="ext2" PARTUUID="d50df29f-41b2-404e-9fac-53d5698cbe30"
/dev/sda9: UUID="9516cab7-32d5-463b-9a99-2c1bf02b5fdb" TYPE="ext4" PARTUUID="54562aea-f675-4491-8b4f-32dfcf01f98f"
/dev/sda10: UUID="89d05b04-6d5a-45c8-bfe8-038c5cc4be7b" TYPE="swap" PARTUUID="3fea77b6-35a0-4fae-b6fd-6aab4a90831a"

Vincenzoml (vincenzoml) wrote :

I have this same bug in xenial. I see a line

/dev/mapper/cryptswap1 none swap sw 0 0

in /etc/fstab

I commented that line but I do not understand how to fix the issue and have a properly set-up encrypted swap.

Vincenzoml (vincenzoml) wrote :

I forgot to mention that in /etc/crypttab I have

cryptswap1 UUID=405a067e-5d92-4130-b8a6-f54c5ae33298 /dev/urandom swap,offset=1024,cipher=aes-xts-plain64

Simao (xdvs23) wrote :

I fixed/workarounded this by removing the cryptswap line from /etc/crypttab and instead adding swap to /etc/fstab (non-encrypted). Then I rebooted and the password prompt didn't come up anymore. This only started to come after I had some booting problems because I messed it up so I had to use boot-repair to get it to work somehow and fix the rest myself.

This might be considered unsafe, but it works for me and should be suitable for my needs.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers