ecryptfs team mailing list archive

Thread
Date

[Bug 352307] Re: update-notifier message about recording mount passphrase

To: ecryptfs@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <352307@xxxxxxxxxxxxxxxxxx>
Date: Tue, 07 Apr 2009 22:35:07 -0000
Reply-to: Bug 352307 <352307@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package ecryptfs-utils - 73-0ubuntu5

---------------
ecryptfs-utils (73-0ubuntu5) jaunty; urgency=low

  Reworked the fixes for LP: #352307 (Upstream Committed revision 373)
  * debian/local/ecryptfs-remind-passphrase: run if
    ~/.ecryptfs/.wrapped-passphrase.recorded does NOT exist; touch that
    file upon successful run of unwrap passphrase
  * debian/patches/00list,
    debian/patches/update-notifier-remind-passphrase.dpatch: dropped, since
    this was moved into PAM

 -- Dustin Kirkland <kirkland@xxxxxxxxxx>   Tue, 07 Apr 2009 14:18:24
-0700

** Changed in: ecryptfs-utils (Ubuntu Jaunty)
       Status: In Progress => Fix Released

-- 
update-notifier message about recording mount passphrase
https://bugs.launchpad.net/bugs/352307
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.

Status in “ecryptfs-utils” source package in Ubuntu: Fix Released
Status in ecryptfs-utils in Ubuntu Jaunty: Fix Released

Bug description:
Binary package hint: ecryptfs-utils

The ecryptfs-setup-private utility is used to configure a user's encrypted-home or encrypted-private directory.

By default, ecryptfs-setup-private will generate a random 128-bit mount passphrase from /dev/urandom.

If executed on the command line, a message such as the following is displayed to the terminal:

************************************************************************
YOU SHOULD RECORD THIS MOUNT PASSPHRASE AND STORE IN A SAFE LOCATION:
f436f2db331b520e8879d53d012c363a
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************

Jaunty now supports configuring an encrypted-home directory in the installer itself (with the preseed option user-setup/encrypt-home=true).

When this happens, a random mount passphrase is generated, but the user is not given the opportunity to record this passphrase (it was decided that this would interrupt the install experience).

What we desperately need, then, is for ecryptfs-setup-private to trigger an update-notifier message to be displayed on subsequent boots (until dismissed by the user).  This message to convey to the user:

 1) That a strong, random mount passphrase has been generated to encrypt their home directory
 2) That this passphrase should be recorded (written down, printed), and stored in a separate location
 3) That this passphrase would be needed if manual data recovery is ever necessary
 4) How to go about retrieving this passphrase
  $ ecryptfs-unwrap-passphrase $HOME/.ecryptfs/wrapped-passphrase
  Passphrase: foobar
  f436f2db331b520e8879d53d012c363a

Martin Pitt has offered to help with this.  I hope it can still make Jaunty.


:-Dustin

References

[Bug 352307] [NEW] update-notifier message about recording mount passphrase
From: Dustin Kirkland, 2009-03-31