Ubuntu
ecryptfs-utils package

Cannot mount the encrypted private directory after changing password

Bug #255624 reported by Tommaso R. Donnarumma
2
Affects Status Importance Assigned to Milestone
ecryptfs-utils (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: ecryptfs-utils

Observed with ecryptfs-utils 53-1ubuntu1 on Intrepid alpha, but guess the following is by design.

Steps to reproduce:
1) Create an encrypted private directory as per https://wiki.ubuntu.com/EncryptedPrivateDirectory (see Testing)
2) Logout and login again to confirm that the encrypted private directory is mounting
3) Change your unix password
4) Logout and login again to observe that the encrypted directory is no longer mounted
5) Also open a terminal and try to manually mount it with the command ecryptfs-mount-private and see it fail with message "keyctl_search: Required key not available"

What should happen:
After changing one's password, the user is still able to access their encrypted private directory.

What happens instead:
After changing one's password, the user can no longer mount their encrypted private directory.

Comment:
From what I understand, ecryptfs-tools needs a password to encrypt the private directory. This private password is wrapped (i.e. encrypted) with the user login password at initialization time. Subsequently, the private password is unwrapped at each login using the login password just provided by the user.
This breaks as soon as the user changes their unix password, because the login password is no longer able to unwrap the private password. Here, The Right Thing to do is to unwrap and rewrap the private password transparently as users change their login password, but I don't know how difficult that is.
Transitorily, prominent instructions on the wiki on how to do update the private password manually or otherwise recover from the situation would be welcome. For the time being, I've restored my previous password.

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Hi,

Thanks for the report.

Could you check your /etc/pam.d/common-password file?

You need to have an entry that says:
password optional pam_ecryptfs.so

This will automatically re-wrap your ecryptfs mount passphrase on password change.

If you followed the instructions on the wiki a few weeks ago, the auth-client-config command was missing the pam-password bits. See bug #253816 where this was fixed.

You should use:
 # sudo auth-client-config -p ecryptfs_standard -t pam-auth,pam-session,pam-password

Thanks,
:-Dustin

Revision history for this message
Tommaso R. Donnarumma (tawmas) wrote :

Hi,

my /etc/pam.d/common-password didn't have the line:
password optional pam_ecryptfs.so

I've rerun the command you gave (it was in the wiki when I first installed, although the package version was older), and now the line is present.

I'll change password/logout/login at the end of this session, but I believe it's going to work.

Thanks for the help and sorry about the fuss.

Revision history for this message
Dustin Kirkland  (kirkland) wrote : Re: [Bug 255624] Re: Cannot mount the encrypted private directory after changing password

On Thu, Aug 7, 2008 at 1:44 PM, Tommaso R. Donnarumma
<email address hidden> wrote:
> Thanks for the help and sorry about the fuss.

No worries, thanks for the bug report!

:-Dustin

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.