Reopening the ecryptfs-utils bug. Adding user-setup task.
This bug is actually quite a bit more complicated than I first realized.
Fundamentally, we have two preseed options which are incompatible:
d-i passwd/user-password-crypted password $6$.1eHH0iY$ArGz...
and
d-i user-setup/encrypt-home boolean true
We cannot encrypt the home directory without having access to the cleartext password. I'm reverting the "fix" that I had committed to ecryptfs-utils, which persisted that cleartext password across the first boot by storing it in /var/tmp, which was not a good idea, as this leaks the file to disk. There's no secure way of persisting this sort of data across a reboot, sorry.
I'm attaching a patch/branch here that adjusts the logic in the user-setup state machine in d-i which should ensure that *if* you've requested an encrypted home, and we only have a crypted password, then we should throw you back into the critical dialogs to choose a password.
Reopening the ecryptfs-utils bug. Adding user-setup task.
This bug is actually quite a bit more complicated than I first realized.
Fundamentally, we have two preseed options which are incompatible: user-password- crypted password $6$.1eHH0iY$ArGz... encrypt- home boolean true
d-i passwd/
and
d-i user-setup/
We cannot encrypt the home directory without having access to the cleartext password. I'm reverting the "fix" that I had committed to ecryptfs-utils, which persisted that cleartext password across the first boot by storing it in /var/tmp, which was not a good idea, as this leaks the file to disk. There's no secure way of persisting this sort of data across a reboot, sorry.
I'm attaching a patch/branch here that adjusts the logic in the user-setup state machine in d-i which should ensure that *if* you've requested an encrypted home, and we only have a crypted password, then we should throw you back into the critical dialogs to choose a password.