ecryptfs team mailing list archive

Thread
Date

[Bug 425040] Re: ecryptfs PAM module causes slow authentication

To: ecryptfs@xxxxxxxxxxxxxxxxxxx
From: Steve Langasek <steve.langasek@xxxxxxxxxxxxx>
Date: Sun, 06 Sep 2009 07:29:44 -0000
Reply-to: Bug 425040 <425040@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thank you for taking the time to report this issue and help to improve
Ubuntu.

This is not a default module in Ubuntu, it's only installed if you
install it manually or if you choose home directory encryption in the
installer.  Reassigning to the ecryptfs package for further analysis of
the delays you're seeing.

** Package changed: pam (Ubuntu) => ecryptfs-utils (Ubuntu)

-- 
ecryptfs PAM module causes slow authentication
https://bugs.launchpad.net/bugs/425040
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.

Status in “ecryptfs-utils” package in Ubuntu: New

Bug description:
The following line in /etc/pam.d/common-auth causes heavy delay in system authentication:
auth	optional	pam_ecryptfs.so unwrap

This default PAM module in Ubuntu causes slow logon times and a very annoying delay in the unlock process of gnome-screensaver. The difference in terms of user experience between keeping this module and disabling this module is huge, especially compared to Windows 7 and OS X screensaver unlock.

I recorded the following average times when debugging the unlock delay:
VT1 bash LOGIN times:
Default: ~ 2.8 seconds
No ecryptfs: ~ 1.1 seconds

gnome-screensaver unlock times:
Default: ~ 2.3 seconds 
Ecryptfs, no gnome-keyring: ~ 2.0 seconds
No ecryptfs: ~ 0.7 seconds
Keyring, no ecrypt: ~ 0.7 seconds

In other words: By disabling ecryptfs in PAM common_auth I went from experiencing a "hang" in the gnome-screensaver unlock screen, with the password field greyed out, to an immediate desktop appearance after typing the password. Furthermore, at the same time I saw a significant reduction of login delay at the terminal. I didn't bother timing the GDM login times, as they're sure to be faster as well.

My simple request is herefore that the pam_ecryptfs module is henceforth disabled from the default Ubuntu configuration, based on this upgrade of the overall user experience in a significant area - the reactivation of the desktop after suspend, hibernate and general AFK. As per the usefulness of this module, I can't imagine the average user will miss the option to encrypt folders.

For advanced users, there need to be a different way to let them encrypt folders than putting this big hurdle in the face of regular users.

And no, this is not the same problem as #105101 - as my disabling the pam_ecryptfs line in common_auth doesn't seem to affect the speed at which the password dialog in gnome-screensaver appears.

Thanks.