You are not logged in.

#1 2024-03-03 18:55:24

mcw
Member
Registered: 2023-09-15
Posts: 14

Question on fscrypt configuration

[I hope this is the correct section!]

I have been encrypting my home directory with eCryptfs for a long time now, and it's time to change (this package, I believe, is no longer under active development).

I've examined my options, and fscrypt seem to be the best replacement choice.  However, the Wiki article says the following:

To unlock login passphrase-protected directories automatically at login, and to keep login passphrase-protected directories in sync with changes to the login passphrase, adjust the system PAM configuration to enable pam_fscrypt...

Now the first part of that -- unlocking at login -- sound great. My current setup has me switching to another screen (crtr+alt+[N]), logging in, mounting the directory by hand, and then stopping my user slice via systemd so that my user units will start when I log into the DM.  This is workable, but it's a bit of a pain, so having the unlocking happening automagically sounds nice.

The second part, however, does not sound nice. Having the encryption passphrase update with the password updates seems like a pretty big security hole. If someone were to steal the computer the thief could login via a thumb drive, chroot to /, and then change the login password, thus gaining access to all of my data (if I'm reading that part right).  I would much prefer to have that second part not happen. After all, I'm not protecting myself from a nation state -- the main "use case" I have is protecting my data should my laptop be stolen.

Is this possible? Are the two functions -- auto unlocking at login and synchronizing the passphrase to the password -- tied together, or is it possible, via configuration,  to do the the first part only?  I've poked around on the fscrypt pages I've found on the internet, and I haven't come up with any useful data.

If anyone can offer any insight I'd b most appreciative!

Offline

#2 2024-03-06 04:44:15

Synchronicity
Member
Registered: 2020-01-23
Posts: 3

Re: Question on fscrypt configuration

> If someone were to steal the computer the thief could login via a thumb drive, chroot to /, and then change the login password, thus gaining access to all of my data

They can change your login passphrase but not the passphrase used by your fscrypt login protector.  This is one of the cases where they get out of sync.  pam_fscrypt only keeps them in sync in cases where it's actually possible, i.e. when the old passphrase was provided when changing the passphrase.

Offline

#3 2024-03-09 13:04:14

mcw
Member
Registered: 2023-09-15
Posts: 14

Re: Question on fscrypt configuration

Thank you for the input!

It seems then that fscrypt will be a good choice.

Offline

Board footer

Powered by FluxBB