ecryptfs team mailing list archive

Thread
Date

[Bug 425040] Re: ecryptfs PAM module causes slow authentication

To: ecryptfs@xxxxxxxxxxxxxxxxxxx
From: Runar Ingebrigtsen <runar@xxxxxx>
Date: Sun, 06 Sep 2009 11:14:32 -0000
Reply-to: Bug 425040 <425040@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I tried to remove the ecryptfs-utils package but that resulted in the
pam_ecryptfs module being reenabled in my common_auth. Then I removed
the libecryptfs0 package and the pam_ecryptfs module got disabled.

Also, I never opted in for any home directory encryption, and I never
asked for the package. Exactly where is it I would have the option to
choose home dir encryption, as you say?

-- 
ecryptfs PAM module causes slow authentication
https://bugs.launchpad.net/bugs/425040
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.

Status in “ecryptfs-utils” package in Ubuntu: New

Bug description:
The following line in /etc/pam.d/common-auth causes heavy delay in system authentication:
auth	optional	pam_ecryptfs.so unwrap

This default PAM module in Ubuntu causes slow logon times and a very annoying delay in the unlock process of gnome-screensaver. The difference in terms of user experience between keeping this module and disabling this module is huge, especially compared to Windows 7 and OS X screensaver unlock.

I recorded the following average times when debugging the unlock delay:
VT1 bash LOGIN times:
Default: ~ 2.8 seconds
No ecryptfs: ~ 1.1 seconds

gnome-screensaver unlock times:
Default: ~ 2.3 seconds 
Ecryptfs, no gnome-keyring: ~ 2.0 seconds
No ecryptfs: ~ 0.7 seconds
Keyring, no ecrypt: ~ 0.7 seconds

In other words: By disabling ecryptfs in PAM common_auth I went from experiencing a "hang" in the gnome-screensaver unlock screen, with the password field greyed out, to an immediate desktop appearance after typing the password. Furthermore, at the same time I saw a significant reduction of login delay at the terminal. I didn't bother timing the GDM login times, as they're sure to be faster as well.

My simple request is herefore that the pam_ecryptfs module is henceforth disabled from the default Ubuntu configuration, based on this upgrade of the overall user experience in a significant area - the reactivation of the desktop after suspend, hibernate and general AFK. As per the usefulness of this module, I can't imagine the average user will miss the option to encrypt folders.

For advanced users, there need to be a different way to let them encrypt folders than putting this big hurdle in the face of regular users.

And no, this is not the same problem as #105101 - as my disabling the pam_ecryptfs line in common_auth doesn't seem to affect the speed at which the password dialog in gnome-screensaver appears.

Thanks.