Unable to mount with "-o xattr"

Hi,

I'd like to mount an ecryptfs file system with the "-o xattr" option
(assuming that it would improve performance of stat calls).

I've mounted the underlying ext4 file system with "user_xattr" and made
sure that setting xattrs with "setfattr" works as it should. But after
mounting with "mount -t ecryptfs -o xattr", the feature doesn't seem to
work: files are still at least 12K big, "mount" doesn't show "xattr"
among the options of the ecryptfs mount, and "getfattr" on the
underlying files doesn't show anything.

Any ideas where to look for the problem? There isn't anything about
ecryptfs in syslog, except for

mount.ecryptfs: Error initializing key module
[/usr/lib/ecryptfs/libecryptfs_key_mod_gpg.so]; rc = [-22]"

which seems to be unrelated.

# uname -a
Linux neko 2.6.32-5-amd64 #1 SMP Wed May 18 23:13:22 UTC 2011 x86_64
GNU/Linux

Cheers,
Hagen

New eCryptfs mailing list

Both of the eCryptfs mailing lists (ecryptfs-devel and ecryptfs-users)
are moving. They will be consolidated into a single mailing list that is
hosted on vger.kernel.org. You can find information about the new list
here:

http://vger.kernel.org/vger-lists.html#ecryptfs

We will keep the old mailing lists running for about a week and then
they will be shut down.

The reason for the switch is due to launchpad's list policy of requiring
mail to be from launchpad members. The eCryptfs development community
continues to grow and keeping the list open to non-launchpad members is
needed to foster that growth.

Please take a moment to subscribe to the new mailing list.

Tyler

Re: A desperate post

If you accurately recorded your mount passphrase, you should be able
to follow the instructions at:
 * http://blog.dustinkirkland.com/2011/04/introducing-ecryptfs-recover-private.html
and recover your data.

Dustin

A desperate post

Hello please let me know if this is posted in the wrong place and if
so where I should post to get useful information:

I was trying to mount my encrypted home directory from a livecd in
order to back up my data (according to the instructions at
https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/455709)
, when I accidentally deleted what I thought was one of the .ecryptfs
folders in my encrypted home. Since I performed the "move to trash" in
nautilus I thought that it would be in the trash and I could just
restore it. No such luck. So now I am pretty much freaking out. I have
the password, it looks like all the files are still in .Private but
when I boot my system and logon all that is in my home folder are:
Access-Your-Private-Data.desktop README.txt .Private .cache .gnome2
and a new folder that starts with
ECRYPTFS_FNEK_ENCRYPTED.<longstringofrandomdigitsandletters>--.

In other words I have no idea how to get the data out of my home
folder now. Is it even possible? All the files are still there in
.Private but I can't even read their names as they too are encrypted.
I really don't care if I can never successfully log on again as long
as there is some, however tedious way to recover the individual files.

I do still seem to have the .ecryptfs folder in ../ one that has my
main folder in it, which in turn has another .ecryptfs directory that
contains auto-mount, auto-umount Private.sig Private.mnt and
wrapped-passphrase. Which is what I was using to follow the
instructions from that bugpost shown earlier.

I am sorry for the long post and desperation, but this is years of
work lost because of one stupid miss-click, and desperately hope to

hardware token

Hi

[repost after properly registering e-mail address]

I'm sending this message to see if there is any interest of
collaboration regarding development of multi-factor protection of user
data.

I'm currently experimenting with using YubiKey USB tokens with
HMAC-SHA1 challenge-response to unlock my encrypted home directory
(disclaimer: I work for Yubico).

I'm glad to report that I've got a proof of concept working. We have a
PAM module for doing OTP validated logins that has recently been
extended to also support offline authentication using the
challenge-response mode available since YubiKey 2.2.

Today, I made that PAM module store an authentication token (currently
the result of a static challenge) upon successful validation which
meant that pam_ecryptfs would not get my login password from PAM
anymore, but rather get the result of the challenge-response.

After that, it was simply a matter of rewrapping my ecryptfs
passphrase to get it protected by something I have (my YubiKey) plus
something I know (my password, part of the challenge) and voila, two
factor authenticated eCryptfs!

This is a list of things I see that would benefit of discussion :

* Is it a sufficiently good design to base the passphrase passing on

Remote encrypted backups with ecryptfs, rsync, rdiff-backup & ssh?

Hi,

I'd like to create encrypted backups onto a remote server in such a
way that the remote server never sees anything unencrypted. The idea
would be to sync my home directory onto a local drive (using rsync or
rdiff-backup) into a directory that gets encrypted by ecryptfs, then
rsync that encrypted directory up to a remote server via ssh:

(A) Simple mirror:

  % sudo mount -t ecryptfs /drive/encrypt /drive/decrypt
  % rsync -av --delete /home/john /drive/decrypt
  % sudo umount -i /drive/decrypt
  % rsync -av --delete -e ssh /drive/encrypt user <at> xxx.xxx.xx.xxx:/backup

(B) Mirror with increments using rdiff-backup:

  % sudo mount -t ecryptfs /drive/encrypt /drive/decrypt
  % rdiff-backup /home/john /drive/decrypt
  % sudo umount -i /drive/decrypt
  % rsync -av --delete -e ssh /drive/encrypt user <at> xxx.xxx.xx.xxx:/backup

(C) Use sshfs to mount the remote encrypted backup & decrypt it locally:

  % sshfs user <at> xxx.xxx.xx.xxx:backup /remote-encrypt
  % sudo mount -t ecryptfs /remote-encrypt /remote-decrypt
  % cd /remote-decrypt

How well would any of these scenarios work with ecryptfs?
Would enabling filename encryption be a viable option?

pam_keyinit question (trying to setup encryption for $HOME)

Hi,

I'm trying to setup configuration with $HOME of user being encrypted. Using 
2.6.37 kernel and ecryptfs-utils 85.

$HOME was migrated using ecryptfs-migrate-home.

First problem is "Error attempting to add filename encryption key to user 
session keyring; rc = [1]". 

From looking into code:
A) ecryptfs_insert_wrapped_passphrase_into_keyring() calls
B) ecryptfs_add_passphrase_key_to_keyring().

If B) returns non zero then it is treated as an error but "1" means key 
already exits. Doesn't this mean that 1 should also be treated as "ok" ?

I'm using pam_keyinit.so which adds/revokes keys at start/end of session and I 
guess this causes error "1".

If I drop pam_keyinit, setup everything ecryptfs related then everything works 
fine (even if I set pam_keyinit back in pam configs).

[root <at> bigarm ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth            required        pam_listfile.so item=user sense=deny 
file=/etc/security/blacklist.sshd onerr=succeed
auth            include         system-auth
account         required        pam_shells.so

(un)security of eCryptfs ?

Hello,

I'm new in using of eCryptfs, but the first test do not let me
sleep.

I'm using Ubuntu 10.10 - standard installation.

Let see my steps:

1. I mount (as root or with sudo) my first eCryptfs in user1 subdirs
with passwd1.
2. the key is ONLY in keyring  <at> u of root, NOT by user1 - but:

user1 can create and read files in that FS (file system) root can
the same.

?? How can user1 work with files in this FS even if user1 has no key
in his keyring ?!!!

3. root clears kis keyring with keyctl clear  <at> u, but the FS is
usable further ??!!

4. root unmounts this FS and mounts it again with another password
passwd2

5. user1 can not see content of previous files (but can see
names/size in "ls") and can create new files - AGAIN WITHOUT key

5. user1 adds passwd1 with ecryptfs-manager - so passwd2-key is in
 <at> keyring of root and passwd1-key is in keyring of user1

Fw: Re:Recovering Files From eCryptfs Encrypted Home

Strange getcwd() behaviour

Hi!

A friend is having a very strange bug, that I think (I'm not sure) it might be
ecryptfs related. She has Ubuntu 9.10 (installed 9.04, then upgraded) and uses
ecryptfs to encrypt her home directory (using the standard Ubuntu setup).

Sometimes (no idea when or why) the following happens: using GNU screen, you
open a new shell (ctrl-a c) bash prompt says it's in '/'; pwd says it's in
'/'.

ls shows the contents of her home directory. You can do cat <file in her home
directory> and it works doing cat <file in /> does not work.

I've done a couple of straces and the behaviour is consistant with the current
directory being her home, but getcwd() returning '/'.  I verified this also
using Python's os module, just in case it was a tool issue.

I can also cd <dir inside her home> and pwd shows '/<dir inside her home>',
with the same behaviour as before. While I'm in there, I get the same
behaviour as before (cat works, open works, etc., but getcwd() returns the
wrong directory). However, if I do 'cd /<dir in her home>' I get ENOENT.

The problem goes away if I do 'cd' or 'cd /<her home dir>'

>From what I can see, it looks like getcwd() is using '/' instead of $HOME.

At the moment I can reproduce this at will by creating new shells inside an
existing screen. It does not happen in new terminals. She said this has
happened before, but has no idea when or why (although it happened also in
9.04). I'm not sure if after she reboots or closes this screen it will be so
easy to reproduce (it looks like the shells are inheriting this behaviour from
the screen process).

If you need any further information (or want me to test anything), please let
me know.

Thanks a lot,
		Alberto

PS (just in case it's not the usual procedure): please CC me on replies, as
I'm not subscribed to the list.

Which directory in my server should I encrypt ?