ecryptfs team mailing list archive

Thread
Date

[Bug 295429] Re: pam_encryptfs.so causes authentication to be slow

To: ecryptfs@xxxxxxxxxxxxxxxxxxx
From: Dustin Kirkland <dustin.kirkland@xxxxxxxxx>
Date: Sat, 21 Feb 2009 01:44:24 -0000
Reply-to: Bug 295429 <295429@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi all,

Thanks for the bug report.

Okay I've tracked this down.  It helped quite a bit to see that it's
mostly Atom processors (eee pc's, and netbooks).

This is totally a function of eCryptfs' key strengthening mechanism.  For more information about key strengthening, see:
 * http://en.wikipedia.org/wiki/Key_strengthening

The goal here is to make your eCryptfs keys as strong as possible.  In
the course of generating your fekek (file encryption key encryption key
-- see the ecryptfs source code for more details), we perform a has
iterative sha512 hash ~65,000 times.  This is a non-trivial operation,
and it's intended to make brute force attacks against your passphrases
65,000 times harder.

While many desktop/laptop/server CPU's can do this key strengthening in
about ~1 second, it's taking a bit longer on lower power processors.

Unfortunately, this is not something we're going to be able to solve
without breaking the ABI/API of eCryptfs.  We would need two different
versions--a weak-key and a normal key mode.  I doubt we're going to
solve this any time soon.  I'm going to have to mark this "won't fix"
for now.  Sorry!

:-Dustin

** Changed in: ecryptfs-utils (Ubuntu)
       Status: New => Won't Fix

-- 
pam_encryptfs.so causes authentication to be slow
https://bugs.launchpad.net/bugs/295429
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.

Status in “ecryptfs-utils” source package in Ubuntu: Won't Fix

Bug description:
Binary package hint: ecryptfs-utils

I have the encrypted ~/Private enabled. In /etc/pam.d/common-auth is the line:
auth    optional    pam_encryptfs.so unwrap

If that line is commented out, then doing something like 'sudo ls' is instantanious after I enter my password. 

If that line is not commented out (like normal), 'sudo ls', or anything else involving my password such as logging in, and unlocking the screensaver take about 4 or 5 seconds longer than they need to.

The following is also syslogged. I'm not sure if it's relevant or not, but that 5 second delay seems to be the pause that occurs.

Nov 8 17:33:00 gulik sudo: pam_sm_authenticate: Called 
Nov 8 17:33:00 gulik sudo: pam_sm_authenticate: username = [robin] 
Nov 8 17:33:00 gulik sudo: Error attempting to parse .ecryptfsrc file; rc = [-5]
Nov 8 17:33:00 gulik sudo: Unable to read salt value from user's .ecryptfsrc file; using default 
Nov 8 17:33:05 gulik sudo: Passphrase key already in keyring 
Nov 8 17:33:05 gulik sudo: Error attempting to add passphrase key to user session keyring; rc = [1] 
Nov 8 17:33:05 gulik sudo: There is already a key in the user session keyring for the given passphrase. 

This doesn't seem to impair the functionality, but it is a little bit annoying.

References

[Bug 295429] [NEW] pam_encryptfs.so causes authentication to be slow
From: Eythian, 2008-11-08