ecryptfs team mailing list archive
-
ecryptfs team
-
Mailing list archive
-
Message #00488
[Bug 302870] Re: add support for setting up encrypted home directory on user creation
fresh install of Ubuntu Jaunty (downloaded today from daily) using amd64
and netboot to install the system. Once the system came up everything
was normal except that I could not login.
I tried everything I could think of to allow the user to write to its
$HOME but it seems that .ecryptfsrc wasn't created (on purpose?) or
there is a race condition between the keyring and ecryptfs (if keyring
wasn't created for some reason, the script that unwraps the password
can't put it on the keyring and the keyring cannot be created because
when you login you can't write to home as it has 0500 permissions).
Please advice....
this is a test system with the following hardware:
IBM leonovo R61 (amd64)
I installed from the Alternate ISO using tftp and the system was
partitioned like the following (preseed):
d-i partman-auto/expert_recipe string \
boot-root :: \
100 10000 256 ext4 \
$primary{ } $bootable{ } \
method{ format } format{ } \
use_filesystem{ } filesystem{ ext3 } \
mountpoint{ /boot } \
. \
5000 9999 10000 ext4 \
$lvmok{ } \
method{ format } format{ } \
options/relatime{ relatime } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ / } \
. \
256 3000 300% linux-swap \
$lvmok{ } \
method{ swap } format{ } \
. \
500 3000 40000 ext4 \
$lvmok{ } \
method{ format } format{ } \
options/relatime{ relatime } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ /home } \
. \
500 1000 1024 ext4 \
$lvmok{ } \
method{ format } format{ } \
options/relatime{ relatime } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ /tmp } \
. \
500 1000 1024 ext4 \
$lvmok{ } \
method{ format } format{ } \
options/relatime{ relatime } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ /var/tmp } \
. \
5000 999 1000000000 ext4 \
$lvmok{ } \
method{ format } format{ } \
options/relatime{ relatime } \
use_filesystem{ } filesystem{ ext4 } \
mountpoint{ /var } \
. \
--
add support for setting up encrypted home directory on user creation
https://bugs.launchpad.net/bugs/302870
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.
Status in eCryptfs - Enterprise Cryptographic Filesystem: Fix Released
Status in “adduser” source package in Ubuntu: Fix Released
Status in “ecryptfs-utils” source package in Ubuntu: Fix Released
Status in “gnome-system-tools” source package in Ubuntu: Triaged
Status in “linux” source package in Ubuntu: Fix Released
Status in “system-tools-backends” source package in Ubuntu: Invalid
Status in “user-setup” source package in Ubuntu: Fix Released
Bug description:
Binary package hint: adduser
I'm currently adding support for bootstrapping an encrypted home directory to the ecryptfs-setup-private utility in the ecryptfs-utils package.
This requires a simple patch to the adduser utility, to support an "--encrypt-home" option, which would call:
# ecryptfs-setup-private -b -u $USER
The call to ecryptfs-setup-private uses the existing code to setup an encrypted home directory. It will generate a mount passphrase from /dev/urandom, establish the user's ecryptfs configuration files, mount the home directory, and return 0. With the home directory mounted, adduser can proceed to copy the /etc/skel files into the mounted, encrypted mountpoint. The adduser utility then needs to unmount that home directory. The "passwd" call within adduser will trigger the password-change code within pam_ecryptfs.so, which will detect the cleartext, randomly generated mount passphrase written to file, and wrap (ie, encrypt) that file using the chosen passphrase.
This patch also adds documentation to the manpage regarding the new --encrypt-home option.
Finally, this patch modifies the control file to "Recommend" a version of ecryptfs-utils with the required new functionality. Note that Colin said he needs to think about the appropriate level (Recommends vs. Suggests).
:-Dustin
Follow ups
