ecryptfs-mount-private fails to initialize ecryptfs keys

Bug #1718658 reported by Tomas Hlavacek on 2017-09-21
This bug affects 67 people
Affects Status Importance Assigned to Milestone
ecryptfs-utils (Ubuntu)
systemd (Ubuntu)

Bug Description

ecryptfs-mount-private fails to mount the ecryptfs after the 1st reboot after creating the ecryptfs by ecryptfs-setup-private.

After the unsucessful attempt dmesg contains:

[ 1265.695388] Could not find key with description: [<correct key ID>]
[ 1265.695393] process_request_key_err: No key
[ 1265.695394] Could not find valid key in user session keyring for sig specified in mount option: [<correct key ID>]
[ 1265.695395] One or more global auth toks could not properly register; rc = [-2]
[ 1265.695396] Error parsing options; rc = [-2]

Note: The correct key ID has been replaced in the "<correct key ID>".

I also accidentally found an workaround - just running ecrytpfs-manager and then the ecryptfs-mount-private (it does not ask for password for the second time and mounts the ecryptfs correctly):

host:~$ ecryptfs-manager

eCryptfs key management menu
 1. Add passphrase key to keyring
 2. Add public key to keyring
 3. Generate new public/private keypair
 4. Exit

Make selection: 4
host:~$ ls Private/
Access-Your-Private-Data.desktop README.txt
host:~$ ecryptfs-mount-private
host:~$ ls Private/
<ecryptfs content is present>

Can you please add a tag for the version of Ubuntu you are using? (Xenial, Zesty, Artful)

no longer affects: ubuntu-mate
Tomas Hlavacek (tmshlvck) wrote :

It is Artful... Sorry!

brill@tapir:~$ dpkg -l | grep ecrypt
ii ecryptfs-utils 111-0ubuntu4 amd64 ecryptfs cryptographic filesystem (utilities)
ii libecryptfs1 111-0ubuntu4 amd64 ecryptfs cryptographic filesystem (library)

brill@tapir:~$ uname -a
Linux tapir 4.13.0-11-generic #12-Ubuntu SMP Tue Sep 12 16:03:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

tags: added: artful
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ecryptfs-utils (Ubuntu):
status: New → Confirmed
forevertheuni (forevertheuni) wrote :

Exact same problem here. I am using a custom ecryptfs folder (always worked for 3 years). Only way to mount it was by running ecryptfs-manager first.

Thorsten (thorstenr-42) wrote :

i have a fresh ubuntu 17.10 installation with an encrypted home (so all auto configured). If i log into my user account it all works fine. However i also get that error message in dmsg:

[ 55.425188] Could not find key with description: [...]
[ 55.425191] process_request_key_err: No key
[ 55.425191] Could not find valid key in user session keyring for sig specified in mount option: [...]
[ 55.425192] One or more global auth toks could not properly register; rc = [-2]
[ 55.425193] Error parsing options; rc = [-2]

So is this also this bug?

Thorsten (thorstenr-42) wrote :

i have to add that this message only occurs on the first login after a reboot.

Sergio Callegari (callegar) wrote :

I see the same as @Thorsten. I have an encrypted Private directory. If I log into my user account the directory is correctly mounted. However, I still see the same error message as @Thorsten via dmesg.

Pavel Grishkov (pgrishkov) wrote :

I faced the same issue after upgrading from Ubuntu 17.04 to 17.10 a day ago.
I'm having my home directory encrypted and I'm getting the same error message after every first login.
My home directory is mounted correctly though.

As an even worst consequense I'm not able to login into grafical environment at all: Gnome keeps crashing when I click on my user name (I even do not have a chance to enter password). Not sure, however, if this is related to the encryption issue; I'm still checking.

Pavel Grishkov (pgrishkov) wrote :

Okay, the issue with failing X server in my case was not relevant to the encryption errors and was resolved by completing the upgrade process properly:
sudo apt-get update && sudo apt-get dist-upgrade
So this one was more related to the broken upgrade process for 17.04-17.10, so please disregard this part.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in systemd (Ubuntu):
status: New → Confirmed
Forest (foresto) wrote :

The ecryptfs-manager workaround helps the mount to succeed, but (at least in my case) the system refuses to unmount it afterward. This is a problem for those of us who open our ecryptfs volumes only for as long as they're needed.

Forest (foresto) wrote :

This is a systemd bug, created by this commit:

It looks like poettering has attempted to address it in more recent versions of systemd (though that doesn't help us in ubuntu 17.10):

Forest (foresto) wrote :

Here's a simple patch to disable the broken systemd feature, and restore ecryptfs functionality.

Forest (foresto) wrote :

A systemd build with my patch applied is available here:

The attachment "disable_system_service_session_keyrings.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
forevertheuni (forevertheuni) wrote :

This doesn't happen in 18.04.

Xavier Guillot (valeryan-24) wrote :

I don't agree with the last comme,nt : I have a fresh install of 18.04 and get the same error when trying to recover my old savec Private directory :

Enter your MOUNT passphrase:
mount: /tmp/ecryptfs.fSC9TkTG : échec de l’appel système mount(2) : Aucun fichier ou dossier de ce type.
ERROR: Failed to mount private data at [/tmp/ecryptfs.fSC9TkTG].

Christian Toffolo (ianxxx) wrote :

Same as @Thorsten and @callegar. I see the error messages but everything works fine.
I also just upgraded to 18.04 from a fresh install of 17.10 and the errors are still present.

Sergey Ponomarev (stokito) wrote :

I upgraded from Ubuntu Mate 17.10 to 18.04 after reboot I passed GRUB then I saw logo of Ubuntu Mate and then by screen become black witout anything.
I pressed Ctrl+F1 and swithed to tty1 then logged in and it show me three last errors from dmesg and firts was:
"could not find valid key in user session for sig "
"errorparsing options rc = -2"

So the problem is still present.
Meanwile I checked via mc (midniht commander) and I see that almost all files in my home directory was mounted.
My ~/.ecryptfs/Private.sig file contain two signatures.
I tried a workaround mentioned here: ecryptfs-manager, then press 4 to exit, then run ecrypt-mount-private but this doesn't helped

Jaume (minterior) wrote :

Same as @stokito happened to me. Yesterday I upgraded to Kubuntu 18.04 via "do-release-upgrade" command from a previous install of Kubuntu 17.10 did some half a year ago. When I restart the system I see the Kubuntu Plymouth start screen but then it never arrives to the login screen (sddm). I can login normally in any of the tty's seeing my home correctly decrypted but with these errors:

Could not find key with description: [<key>]
Could not find valid key in user session keyring for sig specified in mount option: [<key>]
Error parsing options; rc = [-2]

Also tried the aforementioned workaround "ecryptfs-manager" but sddm doesn't start either. Also tried installing lightdm with no luck.

Sergey Ponomarev (stokito) wrote :

Ok, so I restored my system and I got back to my Mate and all my settings are kept.
I did a lot of things, even removed ecryptfs while extracted all my home directory from it.
I removed NVidia drivers but I don't think that they caused the problem.
But only reinstalling of XServer finally resolved the problem. I did something like described here:

Hint: if you get "Ubuntu Black Screen" then on GRUB item press "e" to edit menu item then replace "no splash" or "splash quit" with nomodeset and press F10.

Thus I think the problem was caused by some tricky X11 configs upgrade.

Hadmut Danisch (hadmut) wrote :

ecryptfs (private mount) still does not work under 18.04.

That's a complete showstopper for the upgrade 16.04->18.04 because access to encrypted files becomes impossible or at least troublesome.

Hadmut Danisch (hadmut) wrote :

Please keep in mind that ecryptfs-mount-private and mount.ecryptfs_private are slightly different things.

Since ecryptfs-mount-private is a frontend to the underlying mount.ecryptfs_private, and this isn't working either (also not under 18.04), it is vital to focus on fixing that.

I found that keyctl shows different things under 16.04 and 18.04 after doing ecryptfs-add-passphrase.

Hadmut Danisch (hadmut) wrote :

Even a direct

mount -t ecryptfs -o ecryptfs_check_dev_ruid,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs /tmp/work /tmp/a

fails with
[-2] No such file or directory

Hadmut Danisch (hadmut) wrote :

Ooops, no, sorry, it works (/tmp/a was missing).

So the kernel is definitely able to mount the file systems, it's just that ecryptfs-utils and their key management do not work.

Juan Manuel SA (jumasa) wrote :

I had the same problem with Debian.
The workaround I used is creating a link from the key to the keyring

keyctl link @u @s

forevertheuni (forevertheuni) wrote :

Something intriguing is that I updated to a 18.04 when it was still not released (I don't know if it was beta or not. I did it in March. Everything was fine. Everything mounted without any workaround with: mount.ecryptfs_private blabla
Suddenly around April when new updates came, it went back to having this bug.

Redsandro (redsandro) wrote :

#26 fixed this for me.

Doing a manual mount like so (used for safely storing private data in the cloud) used to work since Ubuntu 12 or so.

However, today after updating from Ubuntu 16.04 LTS to 18.04 LTS, the entire thing wouldn't mount anymore:

$ echo mypassphrase | sudo ecryptfs-add-passphrase --fnek -

Inserted auth tok with sig [abc] into the user session keyring
Inserted auth tok with sig [123] into the user session keyring

$ sudo /bin/mount -it ecryptfs "/media/locked" "/media/unlocked" -o ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_sig=abc,ecryptfs_fnek_sig=123

mount: /home/local/Dropbox.unlocked: mount(2) system call failed: No such file or directory.

I read the following messages in `/var/log/syslog`:

kernel: [ 5608.396634] Could not find key with description: [abc]
kernel: [ 5608.396641] Could not find valid key in user session keyring for sig specified in mount option: [abc]

Apparently there are different keyrings now.

This fixed my script:

$ sudo keyctl link @u @s
$ sudo /bin/mount -it ecryptfs "/media/locked" "/media/unlocked" -o ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_sig=abc,ecryptfs_fnek_sig=123

For now everything works again, but the thing seems buggy. Ubuntu even dropped the encrypted home because of it.

Ecryptfs seems to be eol. Looking for fresh solutions to protect the privacy of my cloud files.

Bill Dietrich (billdietri123) wrote :

I see the messages (starting with "Could not find key with description") on a fresh install of Linux Mint 19 Cinnamon.

Second line of kern.log says: "Linux version 4.15.0-36-generic (buildd@lgw01-amd64-031) (gcc version 7.3.0 (Ubuntu 7.3.0-16ubuntu3)) #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 (Ubuntu 4.15.0-36.39-generic 4.15.18)"

This started happening after installing lubuntu-desktop. Even after removing it, it is still failing to mount. After running "keyctl link @u @s", it works.

Note: I'm using 18.04

ZdravkoG (zdravko-g) wrote :

I'm using 18.04, everything up to date.
ecryptfs is used for home encryption. Everything seems to work fine, but error messages (as already noted above) appears. Not to repeat everything already said, additional note could be that the messages are not tagged where they really comes from. It is a good practice (at least) everything in the system log to be explicitly clear where it comes from (as in most cases).

Massimo S. (smassimo) wrote :

I had updated my laptop so to Ubuntu 18.10 64bit and the message is still present for me.

I see the messages (Could not find key with description...) in dmesg output but all works fine.

Lucas Levrel (llev) wrote :

Trying to mount a personnal dir (not home) with ecryptfs-simple fails, with the same error messages in kern.log as comment #20. (Using Linux Mint 19, Xfce.)
The workaround in comments #26 and #30 works for me. (No sudo like in #28 : with sudo the mount works but the key sig gets added to /root/.ecryptfs . So keyctl has to be launched by thenormal user.)

This bug affects a cryptographic (read: highly sensitive) feature, is 15 months old, a patch was proposed 12 months ago, but it is still of "Undecided" importance and still "Unassigned"? Come on! Are the ecryptfs-utils and systemd packages unmaintained at Ubuntu?

The maintainer of ecryptfs-utils, Dustin Kirkland, is only listed as "may be notified" in the list of subscribers! The group maintainer of systemd, "Ubuntu Developers", is not listed at all!

tags: added: bionic
Lucas Levrel (llev) wrote :

I could automate the workaround #26 and #30 but putting the said command in my .profile

Andreas Schirra (preludi) wrote :

This bug affects me too

BarsMonster (3-y) wrote :

Still actual in 18.04.
This looks scary.

Marco Lobbia (embcen) wrote :

Still the issue persist at present, Ubuntu 18.08 LTS.
The workaround suggested in the bug description works, but for how long I wonder?
Would you trust this bugged ecryptfs to manage sensible data?

Kevin Otte (nivex) wrote :

I would not trust ecryptfs anymore.
Use the time to migrate your data.

G.M. (sexxxenator) wrote :

This error message is still pressent in my logs in XUbuntu 19.04 (freshly updated as of today). But the mounting finally occurs. However it is still quite annoying...

sgrey (sgrey) wrote :

I have just encountered this issue on 18.04 with Linux 4.15.0-54-generic.

The proposed workaround does not work for me.

ADTopkek (adtopkek) wrote :

Upgraded from Ubuntu server 16 to 18 and I too am having this issue.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers