You are not logged in.

#1 2011-05-16 01:21:55

rsking84
Member
Registered: 2011-05-09
Posts: 17

[solved] Auto-mount of ecryptfs partition on login broken by update?

I'm in the process of migrating from Ubuntu to Arch.  I've set up my installation to mount my Ubuntu home directory to /home/<myuser>/UbuntuDocs/ at login.  The Ubuntu home folder is encrypted, and I had set up the auto-mount according to the "New" Pam_Mount method described in the Wiki.

Up until a few days ago, this was working great.  My understanding is that on login, PAM would read my user password, use it to "unwrap" the encryption keys stored on the Ubuntu home partition, insert them into the keyring, then mount the partition using the signatures provided in /etc/fstab.  Now, it seems that Arch tries to mount the encrypted partition during boot, before I ever get to my login prompt.  It interrupts the boot sequence to ask me how to mount the partition (e.g. passphrase, mount options, etc.).  If I ignore this and login normally, I can't mount the directory until I manually use

ecryptfs-add-passphrase --fnek

to insert the appropriate key into the keyring.  Then I can mount easily using the mount -i command.

I'm confused by a couple of things.  First, why is Arch now trying to mount the partition before login, and why WASN'T it before?  Second, even with the failed mount during boot, why isn't pam_mount still unwrapping my passphrase and adding to the keyring?

My /etc/fstab entry looks like this:

# Mount Ubuntu home dir
/dev/sdb6    /media/UbuntuHome    ext4    defaults,user 0 1
#mount encrypted Ubuntu home
/media/UbuntuHome/.ecryptfs/ryan/.Private    /home/ryan/UbuntuDocs    ecryptfs rw,user,ecryptfs_sig=XXXXXXXXXX,ecryptfs_fnek_sig=XXXXXXXXXXX,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs 0 0

/etc/pam.d/gdm and /etc/pam.d/login are set up according to the Wiki.

Is it possible that the recent init scripts update broke something here?   Thanks in advance for your help!

Last edited by rsking84 (2011-05-22 18:53:02)

Offline

#2 2011-05-16 01:37:50

anrxc
Member
From: Croatia
Registered: 2008-03-22
Posts: 834
Website

Re: [solved] Auto-mount of ecryptfs partition on login broken by update?

Add noauto to mount options of eCryptfs mount.

For pam_mount bugs I can't offer you anything. There are far more simpler methods to auto-mount, and more reliable. See Advanced


You need to install an RTFM interface.

Offline

#3 2011-05-16 01:50:24

rsking84
Member
Registered: 2011-05-09
Posts: 17

Re: [solved] Auto-mount of ecryptfs partition on login broken by update?

Hi anrxc,
     Thanks for replying.   I tried the "noauto" option.  It keeps the mount from interrupting boot, but I still have to manually insert the encryption key and mount the directory after I login.

I'm a bit confused by your suggestion - the "Advanced" link points right to the pam_mount method that I have set up.  There's also the link to your article that outlines how to do it with init scripts, but I already have the pam_mount (new method) set up and it WAS working just fine.   

I'm not out to reinvent the wheel (yet), only to understand what broke it.

Offline

#4 2011-05-17 00:57:39

anrxc
Member
From: Croatia
Registered: 2008-03-22
Posts: 834
Website

Re: [solved] Auto-mount of ecryptfs partition on login broken by update?

Yeah, and I didn't write that pam_mount section, can't vouch for it or help with pam_mount bugs. I was refering to the shell init (!= init).

Last edited by anrxc (2011-05-17 00:58:35)


You need to install an RTFM interface.

Offline

#5 2011-05-22 18:51:52

rsking84
Member
Registered: 2011-05-09
Posts: 17

Re: [solved] Auto-mount of ecryptfs partition on login broken by update?

I managed to fix it, though still don't understand what broke in the first place.

Step 1: the file ~./ecryptfs/auto-mount had been deleted somehow.  This must be present in order for pam_mount to unwrap the passphrase and add it to the keyring.  Fixed by executing:

touch /.ecryptfs/auto-mount

Step 2: Once the passphrase is inserted, the directory can be mounted with the mount -i command since all the necessary options are already specified in /etc/fstab.  I had to add the following to /etc/profile

mount -i /media/UbuntuHome/.ecryptfs/ryan/.Private

Previously the directory was mounting automatically after login; it seems like something altered how /etc/fstab is processed so that it tries to mount before login (and fails).  Hence the need to explicitly add the mount command.

Last edited by rsking84 (2011-05-22 19:15:17)

Offline

Board footer

Powered by FluxBB