ecryptfs team mailing list archive

[Martin Pitt <martin.pitt@xxxxxxxxxx>]

Thanks, Michael, this works fine.

I uploaded a new ecryptfs-utils which should make this work. I tested it
with a new non-admin user "joe" and

  sudo ecryptfs-setup-private -u joe; sudo chown joe:joe
/home/joe/.ecryptfs

Caveats:

 - All users with an existing ~/.ecryptfs/wrapped-passphrase get the
notification.

 - If I don't do the chown above, /home/joe/.ecryptfs/ gets owned
root:root, and the notification fails. Is that a bug in ecryptfs-setup-
private, or am I just calling it wrongly?

 - I couldn't really test it the full way from the installer, it is much
easier to do this once the package is uploaded and on the daily CDs.
Dustin, can you please test this with the next daily and tell me what
you think?

 - Please fix my bad English in the strings.

I attach the uploaded debdiff.

** Attachment added: "debdiff uploaded to jaunty"
   http://launchpadlibrarian.net/24843065/352307.debdiff

-- 
update-notifier message about recording mount passphrase
https://bugs.launchpad.net/bugs/352307
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.

Status in “ecryptfs-utils” source package in Ubuntu: Fix Released
Status in ecryptfs-utils in Ubuntu Jaunty: Fix Released

Bug description:
Binary package hint: ecryptfs-utils

The ecryptfs-setup-private utility is used to configure a user's encrypted-home or encrypted-private directory.

By default, ecryptfs-setup-private will generate a random 128-bit mount passphrase from /dev/urandom.

If executed on the command line, a message such as the following is displayed to the terminal:

************************************************************************
YOU SHOULD RECORD THIS MOUNT PASSPHRASE AND STORE IN A SAFE LOCATION:
f436f2db331b520e8879d53d012c363a
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************

Jaunty now supports configuring an encrypted-home directory in the installer itself (with the preseed option user-setup/encrypt-home=true).

When this happens, a random mount passphrase is generated, but the user is not given the opportunity to record this passphrase (it was decided that this would interrupt the install experience).

What we desperately need, then, is for ecryptfs-setup-private to trigger an update-notifier message to be displayed on subsequent boots (until dismissed by the user).  This message to convey to the user:

 1) That a strong, random mount passphrase has been generated to encrypt their home directory
 2) That this passphrase should be recorded (written down, printed), and stored in a separate location
 3) That this passphrase would be needed if manual data recovery is ever necessary
 4) How to go about retrieving this passphrase
  $ ecryptfs-unwrap-passphrase $HOME/.ecryptfs/wrapped-passphrase
  Passphrase: foobar
  f436f2db331b520e8879d53d012c363a

Martin Pitt has offered to help with this.  I hope it can still make Jaunty.


:-Dustin