#870126 ecryptfs-mount-private: mount: No such file or directory

Package:
ecryptfs-utils
Source:
ecryptfs-utils
Description:
ecryptfs cryptographic filesystem (utilities)
Submitter:
Craig Small
Date:
2021-11-02 13:45:03 UTC
Severity:
important
#870126#5
Date:
2017-07-29 21:57:01 UTC
From:
To:
I have setup the standard home ~/Private directory. It looks like it is
confused about which key to use.

For the last few months or so, I get this (key IDs changed but consistent
in report):

$ ecryptfs-mount-private
Enter your login passphrase:
Inserted auth tok with sig [aaaaaaaaaaaaaaaa] into the user session keyring
mount: No such file or directory

The kernel reports:
Jul 30 07:43:31 elmo kernel: [225198.624579] Could not find key with description: [bbbbbbbbbbbbbbbb]

And plenty of other messages, all about the second key with ID bbbbbbbbbbbbbbbb

These are the two keys:
$   keyctl list @u
2 keys in keyring:
270246897: --alswrv  1000  1000 user: bbbbbbbbbbbbbbbb
996876983: --alswrv  1000  1000 user: aaaaaaaaaaaaaaaa

The work-around. Is given below.
Note that I overrode the fnek signature on the command line.

$ ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase
Passphrase: (enter your usual passphrase)
PPPPPPPPPPPPPPPP
(write down this unwrapped passphrase)

$ sudo ecryptfs-add-passphrase --fnek
Passphrase: (enter the PPPPPPPPPPPPPPPP)
Inserted auth tok with sig [aaaaaaaaaaaaaaaa] into the user session keyring
Inserted auth tok with sig [bbbbbbbbbbbbbbbb] into the user session keyring
udo mount -t ecryptfs /home/username/.Private/ /home/username/Private/
Select key type to use for newly created files:
 1) passphrase
 2) tspi
Selection: 1
Passphrase:
Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 1
Select key bytes:
 1) 16
 2) 32
 3) 24
Selection [16]: 1
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [aaaaaaaaaaaaaaaa]: bbbbbbbbbbbbbbbb
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=bbbbbbbbbbbbbbbb
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=aaaaaaaaaaaaaaaa
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], it looks like you have never mounted with this key before. This could mean that you have typed your passphrase wrong.
Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [aaaaaaaaaaaaaaaa] to [/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : no
Not adding sig to user sig cache file; continuing with mount.
Mounted eCryptfs

#870126#10
Date:
2017-08-01 10:37:49 UTC
From:
To:
Hello,

1. The problem is the user keyring not being linked
to the session keyring.   keyctl link @u @s   is a much easier workaround.

2. For me this happens only in gnome sessions (not console or ssh)
Is this the same for you?

(see also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870335 )

Cheers,
Itaï.

#870126#15
Date:
2019-01-03 17:13:34 UTC
From:
To:
I've got the same issue but this workaround didn't solve the issue.
(testing, package version 111-4 as this report)

The longer solution is a bit tricky to use, since the whole homedir is
encrypted and I am already logged in. Could I perhaps disable ecryptfs
and redo it from start? Got backups and all, not an issue.

I haven't seen that when running a graphical desktop (xfce, in my case)
or via ssh, only in console. Also, if I am already logged in, regardless
of the terminal, it won't happen but I assume this is to be expected.


Andrea.

#870126#20
Date:
2019-09-02 07:02:52 UTC
From:
To:
keyctl link workaround works for me.

I'm using lightdm and slimmed down LXQt session.

What system component should link keyrings by design? DM, session lead, PAM, basic login scripts? I feel that this bug should be redirected accordingly.

#870126#25
Date:
2020-01-09 15:26:18 UTC
From:
To:
So linkage of user and session keyrings is apparently done by pam_keyinit module.

There is a line:

    session    optional   pam_keyinit.so force revoke

in /etc/pam.d/login, but not in /etc/pam.d/lightdm.

#870126#30
Date:
2021-11-02 12:50:33 UTC
From:
To:
Dear Maintainer,

   * What led up to the situation?

I'm trying to mount my Private directory in a script called by .xsession
and .xsession itself is being called by Nodm (or
lightdm-autologin-greeter).

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

I created a script that calls mount.ecryptfs_private. It based on
ecryptfs-mount-private where I stripped the interactive passphrase
prompt and replaced it with a environment variable that my scripts
expects to contain the passphrase.

   * What was the outcome of this action?

When I manually login via ssh and run my script, it works. When the
same script is called by .xsession I get:

  mount: no such file or directory

like the OP. Same errors in the kernel log.

You can find full details in my debian-user mailing list post:

https://lists.debian.org/debian-user/2021/11/msg00002.html

#870126#35
Date:
2021-11-02 13:41:22 UTC
From:
To:
Worked around by adding

   session    optional   pam_keyinit.so force revoke

to /etc/pam.d/nodm and rebooting the system.