You are not logged in.
- Topics: Active | Unanswered
#1 2022-05-23 14:59:05
- bbzzss
- Member
- Registered: 2022-01-01
- Posts: 1
unlocking fscrypt encrypted systemd-homed homedir from another Arch OS
Hi Arch forum, is anyone able to help with an issue with systemd-homed? My OS install (Arch) no longer boots, I have a user that's managed by systemd-homed with an home area encrypted using fscrypt, and I'm attempting to unlock the home area on another OS inatall (also Arch) to recover the user data. So far I have tried using systemd-nspawn to launch into the hard drive containing the botched OS and home area. The exact command I used was
systemd-nspawn -b -D /mnt/os --bind=/mnt/os/home:/homeafter booting and logging into the container, `homectl` correctly lists the user, but `homectl authenticate $USERNAME` fails with the following message:
May 23 16:14:00 hayabusa systemd-homed[57]: bzs: changing state inactive → activating-for-acquire
May 23 16:14:00 hayabusa systemd-homework[129]: Provided password unlocks user record.
May 23 16:14:00 hayabusa systemd-homework[129]: Failed to install master key in keyring: Operation not permitted
May 23 16:14:00 hayabusa systemd-homework[129]: Failed to drop caches, ignoring: Read-only file system
May 23 16:14:00 hayabusa systemd-homed[57]: Activation failed: Operation not permitted
May 23 16:14:00 hayabusa systemd-homed[57]: bzs: changing state activating-for-acquire → inactive
May 23 16:14:00 hayabusa systemd-homed[57]: Got notification that all sessions of user bzs ended, deactivating automaticallyI'm sure that the password I provided was correct and unlocks the user record. Seeing that it might be a failure to add key to keyring, I later tried again with
systemd-nspawn -b -D /mnt/os --bind=/mnt/os/home:/home --system-call-filter=add_key,keyctl,keyrings,keyutils --capability=CAP_SYS_ADMINBut got the same failures in journalctl logs.
At this point I'm not sure what to try next. Is there any hope at recovering my data locked away in fscrypt?
Last edited by bbzzss (2022-05-23 15:02:52)
Offline
#2 2022-05-24 22:52:55
- Strike0
- Member
- From: Germany
- Registered: 2011-09-05
- Posts: 1,429
Re: unlocking fscrypt encrypted systemd-homed homedir from another Arch OS
Have a look at:
In order to migrate a home directory from a host "foobar" to another host "quux" it is hence sufficient to
copy /var/lib/systemd/home/local.public from the host "foobar" to "quux", maybe calling the file on the
destination /var/lib/systemd/home/foobar.public, reflecting the origin of the key. If the user record
should be modifiable on "quux" the pair /var/lib/systemd/home/local.public and
/var/lib/systemd/home/local.private need to be copied from "foobar" to "quux", and placed under the
identical paths there, as currently only a single private key is supported per host. Note of course that
the latter means that user records generated/signed before the key pair is copied in, lose their validity.
If you're lucky, you can recover the --identity file to pass to homectl.
But then again there is: https://github.com/systemd/systemd/issues/17688
So, I'm not sure.
Offline