← Back to team overview

ecryptfs team mailing list archive

[Bug 259631] Re: Cannot open Private directory after a reboot

 

Rune-

That "fa....5c" value is your *mount* passphrase, which you have just
published to the internet.  Consider any data there compromised.

Guys-

There are 2 passphrases involved.
  1) There's your login_passphrase (what you use to login to the system)
  2) And there's your mount_passphrase (what is used to mount the ~/Private directory and encrypt/decrypt the data there)

When you successfully login to your system, a PAM module in the
authentication stack called pam_ecryptfs takes your login_passphrase,
and uses that to decrypt a file, ~/.ecryptfs/wrapped-passphrase, which
contains your mount_passphrase.

If that file is successfully decrypted, your decrypted mount_passphrase
will be inserted into your kernel keyring.

Then, pam_ecryptfs will attempt to run /sbin/mount.ecryptfs_private,
which will try to mount your ~/Private directory using the passphrase
which was added to the keyring.  If the mount_passphrase not able to be
retrieved and added to the kernel keyring, you will get the
"keyctl_search: Required key not available" error.

This is what should happen automatically.

To find out where the problem is, you can perform each of these steps
manually.

First, you need to figure out if you can decrypt your mount_passphrase,
using 'ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
LOGIN_PASSPHRASE'.  You will probably get the salt warning, and then if
it succeeds, it will print the mount_passphrase to the screen.  When you
ran ecryptfs-setup-private, you were able to either choose your own
mount_passphrase or have one generated for you.  If you had one
generated for you, it would be 128-bits of random data, represented by a
string of hexadecimal digits.  In any case, if ecryptfs-unwrap-
passphrase is able to print it to screen, that's good.  Check the exit
code (echo $?) immediately after running ecryptfs-unwrap-passphrase, and
ensure that it's 0.  Otherwise, your wrapped-passphrase file is probably
encrypted using a different password than the one you supplied.

Once you're able to successfully decrypt ~/.ecryptfs/wrapped-passphrase
(and please don't post your passphrases here), run
'ecryptfs_insert_wrapped_passphrase_into_keyring ~/.ecryptfs/wrapped-
passphrase LOGIN_PASSPHRASE'.  This will add the passphrase to the
kernel keyring.  You can list the id's of the keys in the keyring using:
'keyctl show'.  Note that you might need to install the 'keyutils'
package.

Now that you have the passphrase in the keyring, you should be able to
mount your encrypted private directory with 'mount.ecryptfs_private'.

If you're still getting "keyctl_search: Required key not available",
then the wrong passphrase has been inserted into your keyring.  You can
check what key mount.ecryptfs_private expects with 'cat
~/.ecryptfs/Private.sig'.  This "signature" should match the signature
of the key in your keyring, as shown by 'keyctl show'.

I would very much appreciate it if the people on this bug experiencing
this problem could walk through these steps and please tell me where you
are experiencing the failure.

:-Dustin

** Changed in: ecryptfs-utils (Ubuntu)
     Assignee: (unassigned) => Dustin Kirkland (kirkland)
       Status: Invalid => Incomplete

-- 
Cannot open Private directory after a reboot
https://bugs.launchpad.net/bugs/259631
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.

Status in “ecryptfs-utils” source package in Ubuntu: Incomplete

Bug description:
Binary package hint: ecryptfs-utils

I created an encrypted private directory following the instructions here:

https://wiki.ubuntu.com/EncryptedPrivateDirectory

Everything worked as it should until I rebooted. When I try to mount my private directory I get the following message:

 jimk@intrepid:~$ mount.ecryptfs_private
keyctl_search: Required key not available

When I go to create a key, I get the following message:

jimk@intrepid:~$ ecryptfs-setup-private
ERROR: wrapped-passphrase file already exists, use --force to overwrite.

I can create a new passphrase if I use the force option, but I shouldn't have to do this everytime I reboot



Follow ups