Unable to encrypt using login passphrase

[mike-loremipsumdolorsitamet]

Hello,

I have set up fscrypt on a fresh Arch linux install per README.md and #77.

When I issue the fscrypt encrypt command on a new empty directory and select option 2 (custom passphrase), everything seems to work as it should. When I want to use my login password to encrypt the directory, I get the following output:

[mike@rabbit ~]$ ls
Desktop
[mike@rabbit ~]$ mkdir test
[mike@rabbit ~]$ sudo su
[sudo] password for mike:
[root@rabbit mike]# fscrypt encrypt /home/mike/test/ --verbose --user=mike 
2019/06/16 23:55:16 Setting ruid=1000 euid=1000 suid=0
2019/06/16 23:55:16 keyringID(_uid.1000) = 444634196, <nil>
2019/06/16 23:55:16 KeyctlLink(444634196, -2) = <nil>
2019/06/16 23:55:16 Setting ruid=0 euid=0 suid=0
2019/06/16 23:55:16 keyringID(_uid.0) = 327353481, <nil>
2019/06/16 23:55:16 KeyctlLink(327353481, -2) = <nil>
2019/06/16 23:55:16 KeyctlLink(444634196, 327353481) = <nil>
2019/06/16 23:55:16 Reading config from "/etc/fscrypt.conf"
2019/06/16 23:55:16 creating context for "mike"
2019/06/16 23:55:16 /home/mike/test/ is on ext4 filesystem "/" (/dev/sda1)
2019/06/16 23:55:16 ensuring /home/mike/test/ is an empty and readable directory
2019/06/16 23:55:16 ensuring /home/mike/test/ supports encryption and filesystem is using fscrypt
2019/06/16 23:55:16 creating policy for "/home/mike/test/"
2019/06/16 23:55:16 listing descriptors in "/.fscrypt/protectors"
2019/06/16 23:55:16 found 1 descriptor(s)
2019/06/16 23:55:16 successfully read metadata from "/.fscrypt/protectors/735b13cb412c9c3e"
Should we create a new protector? [y/N] y
Your data can be protected with one of the following sources:
1 - Your login passphrase (pam_passphrase)
2 - A custom passphrase (custom_passphrase)
3 - A raw 256-bit key (raw_key)
Enter the source number for the new protector [2 - custom_passphrase]: 1
2019/06/16 23:55:23 using source: pam_passphrase
2019/06/16 23:55:23 using name: 
2019/06/16 23:55:23 listing descriptors in "/.fscrypt/protectors"
2019/06/16 23:55:23 found 1 descriptor(s)
2019/06/16 23:55:23 successfully read metadata from "/.fscrypt/protectors/735b13cb412c9c3e"
2019/06/16 23:55:23 KeyFunc(login protector for mike, false)
Enter login passphrase for mike: 
2019/06/16 23:55:27 Checking login token for mike
fscrypt encrypt: incorrect login passphrase

Could you please help me debug the issue?

[ebiggers]

I believe I ran into the same issue. The problem was that the file /etc/pam.d/fscrypt was missing, so fscrypt didn't have permission to check the user's login passphrase when creating a login protector.

I've just updated the fscrypt-git AUR package to include this file (link), so it works now.

@josephlr, do you know if any other Linux distributions need this? If so, maybe the file should be upstream.

[ebiggers]

Closing since this is fixed in the Arch Linux package now, and PAM configuration in general is distro-specific. If this is encountered on another Linux distro too please file a new issue.

[ebiggers]

This bug was reintroduced recently when fscrypt was made an official Arch Linux package. Reported to the Arch Linux developers at https://bugs.archlinux.org/task/65553?project=5

[ebiggers]

Now fixed again, in version 0.2.6-2 of the fscrypt Arch Linux package.