Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can not change login protector #258

Closed
kamentomov opened this issue Oct 24, 2020 · 5 comments · Fixed by #338
Closed

Can not change login protector #258

kamentomov opened this issue Oct 24, 2020 · 5 comments · Fixed by #338
Labels
bug

Comments

@kamentomov
Copy link

Removing login protector fails.

`
➜ fscrypt status /mnt
ext4 filesystem "/mnt" has 2 protectors and 1 policy

PROTECTOR LINKED DESCRIPTION
e9c9ed7ea8188b59 Yes (/) login protector for kamen
eb043cdbd9a92c9d No custom protector "transferprot"

POLICY UNLOCKED PROTECTORS
1b2353ac3ff97803 Yes e9c9ed7ea8188b59, eb043cdbd9a92c9d
➜ fscrypt metadata remove-protector-from-policy --protector=/mnt:e9c9ed7ea8188b59 --policy=/mnt:1b2353ac3ff97803 --verbose
2020/10/24 03:56:07 parsed flag: mountpoint="/mnt" descriptor=e9c9ed7ea8188b59
2020/10/24 03:56:07 Reading config from "/etc/fscrypt.conf"
2020/10/24 03:56:07 creating context for "kamen"
2020/10/24 03:56:07 mnt_dir /run/snapd/ns/ufw.mnt: not a directory
2020/10/24 03:56:07 getting mnt_dir: /run/user/123/gvfs: permission denied
2020/10/24 03:56:07 mnt_dir /run/snapd/ns/snap-store.mnt: not a directory
2020/10/24 03:56:07 mnt_dir /run/snapd/ns/keepassxc.mnt: not a directory
2020/10/24 03:56:07 found ext4 filesystem "/mnt" (/dev/sdc8)
2020/10/24 03:56:07 Getting protector e9c9ed7ea8188b59
2020/10/24 03:56:07 could not read metadata at "/mnt/.fscrypt/protectors/e9c9ed7ea8188b59"
fscrypt metadata remove-protector-from-policy: filesystem /mnt: descriptor e9c9ed7ea8188b59: could not find metadata
`

I created a encrypted system on one machine with a login protector and then moved to another machine. I need to make a new login protector. Meanwhile I created a custom protector to get by. The problem is I can not remove it neither on the new machine nor on the old. I will loose the old machine in a few hours so if it is needed then this is urgent so please help.
@josephlr
Copy link
Member

Thanks for bringing this up @kamentomov. What version of fscrypt are you using? You can run fscrypt --version to find out (current version is 0.2.9).

I was able to reproduce some of your problems. Good news, there's probably a workaround.

Step 1

I created an encrypted directory on a removable drive on System 1. This had two protectors:

  • A login protector for System 1
  • A passphrase protector

This was setup using fscrypt encrypt, fscrypt metadata create protector, and fscrypt metadata add-protector-to-policy, but on newer versions of fscrypt this can also be done automatically (when using a linked protector on a filesystem).

Output of fscrypt status /run/media/joe/Test:

ext4 filesystem "/run/media/joe/Test" has 2 protectors and 1 policy

PROTECTOR         LINKED   DESCRIPTION
03f8914bb6167978  Yes (/)  login protector for joe
ccee3490616f11ef  No       custom protector "Test Password"

POLICY                            UNLOCKED  PROTECTORS
418c630b4d88edf215eab2eb9f49ae1e  No        03f8914bb6167978, ccee3490616f11ef

Step 2

I then attached this drive to System 2. Here's where I encountered bug 1. Running fscrypt status on the newly mounted filesystem gives:

ext4 filesystem "/run/media/joe/847dda65-d5ee-4ebd-bcc5-132ce9255787" has 3 protectors and 1 policy

PROTECTOR         LINKED   DESCRIPTION
                           [/run/media/joe/847dda65-d5ee-4ebd-bcc5-132ce9255787/.fscrypt/protectors/03f8914bb6167978.link: cannot follow filesystem link "UUID=1769bc73-bedb-4f9b-a07b-5602d6e0481c": no device with UUID 1769bc73-bedb-4f9b-a07b-5602d6e0481c]
ccee3490616f11ef  No       custom protector "Test Password"

POLICY                            UNLOCKED  PROTECTORS
418c630b4d88edf215eab2eb9f49ae1e  Yes       03f8914bb6167978, ccee3490616f11ef

Essentially, this is saying protector 03f8914bb6167978 doesn't exist on the current system, which makes sense. That protector was a login protector, only on the old system.

Step 3

Before we remove the old login protector, we should protect the directory with a login protector on the new system.

First we create the login protector with fscrypt metadata create protector /. This login protector may already exist if you have already protected directories on the new system with your login password.

Next, we protect the directory with the new protector:

sudo fscrypt metadata add-protector-to-policy --protector=/:1c9865cfe4acf5d7 --policy=/mnt:418c630b4d88edf215eab2eb9f49ae1e

This might cause some strange output as fscrypt tries to load the linked login protector which doesn't exist on the new system, but you still should be able to do it. We now have fscrypt status /mnt output of:

ext4 filesystem "/mnt" has 3 protectors and 1 policy

PROTECTOR         LINKED   DESCRIPTION
                           [/run/media/joe/847dda65-d5ee-4ebd-bcc5-132ce9255787/.fscrypt/protectors/03f8914bb6167978.link: cannot follow filesystem link "UUID=1769bc73-bedb-4f9b-a07b-5602d6e0481c": no device with UUID 1769bc73-bedb-4f9b-a07b-5602d6e0481c]
ccee3490616f11ef  No       custom protector "Test Password"
1c9865cfe4acf5d7  Yes (/)  login protector for joe

POLICY                            UNLOCKED  PROTECTORS
418c630b4d88edf215eab2eb9f49ae1e  Yes       03f8914bb6167978, ccee3490616f11ef, 1c9865cfe4acf5d7

Using this directory will now work normally.

Step 4

Now we have this weird remaining protector 03f8914bb6167978 that we no longer need on the new system. So we can remove it. Here's where the second bug turns up. We would ideally remove this with fscrypt metadata destroy --protector=.:03f8914bb6167978. However, this protector exists on a system that we're not using, so we get an error about loading the metadata (which is what you're seeing in the above error message).

Right now removing this unnecessary protector is not possible (not that it really harms anything). Ideally, we would have --force remove the remaining links even if they don't exist.

@josephlr
Copy link
Member

@kamentomov let me know if the stuff in Step 3 above helps you setup a login protector on the new system.

@kamentomov
Copy link
Author

@josephlr Saved my life - thanks! It worked.

kamen@c3po:~$ fscrypt metadata create protector /
Create new protector on "/" [Y/n] 
Your data can be protected with one of the following sources:
1 - Your login passphrase (pam_passphrase)
2 - A custom passphrase (custom_passphrase)
3 - A raw 256-bit key (raw_key)
Enter the source number for the new protector [2 - custom_passphrase]: 1
fscrypt metadata create protector: filesystem /: not setup for use with fscrypt

Run "fscrypt setup MOUNTPOINT" to use fscrypt on this filesystem.
kamen@c3po:~$ fscrypt setup /
fscrypt setup: filesystem /: mkdir /.tmp473332868: permission denied
kamen@c3po:~$ sudo fscrypt setup /
Metadata directories created at "/.fscrypt".
Filesystem "/" (/dev/sda6) ready for use with ext4 encryption.
kamen@c3po:~$ fscrypt metadata create protector /
Create new protector on "/" [Y/n] 
Your data can be protected with one of the following sources:
1 - Your login passphrase (pam_passphrase)
2 - A custom passphrase (custom_passphrase)
3 - A raw 256-bit key (raw_key)
Enter the source number for the new protector [2 - custom_passphrase]: 1
Enter login passphrase for kamen: 
Protector d8535497ed76b642 created on filesystem "/".
kamen@c3po:~$ sudo fscrypt metadata add-protector-to-policy --protector=/:d8535497ed76b642 --policy=/mnt:1b2353ac3ff97803
WARNING: All files using this policy will be accessible with this protector!!
Protect policy 1b2353ac3ff97803 with protector d8535497ed76b642? [Y/n] 
Enter login passphrase for kamen: 
The available protectors are: 
1 - custom protector "transferprot"
NOTE: %d of the %d protectors failed to load. You may need to mount a linked filesystem. Run with --verbose for more
information.Enter the number of protector to use: 1
Enter custom passphrase for protector "transferprot": 
Protector d8535497ed76b642 now protecting policy 1b2353ac3ff97803.
kamen@c3po:~$ fscrypt status /mnt
ext4 filesystem "/mnt" has 2 protectors and 1 policy

PROTECTOR         LINKED   DESCRIPTION
d8535497ed76b642  Yes (/)  login protector for kamen
eb043cdbd9a92c9d  No       custom protector "transferprot"

POLICY            UNLOCKED  PROTECTORS
1b2353ac3ff97803  Yes       e9c9ed7ea8188b59, eb043cdbd9a92c9d, d8535497ed76b642
kamen@c3po:~$ ll /mnt/.fscrypt/protectors/
ll: command not found
kamen@c3po:~$ ls -l /mnt/.fscrypt/protectors/
total 8
-rw-r--r-- 1 root  root   41 окт 26 09:52 d8535497ed76b642.link
-rw-r--r-- 1 kamen kamen 150 окт 24 03:07 eb043cdbd9a92c9d

By the way I removed the old login protector file. It appears when getting the status but at least I get no error.

@ebiggers ebiggers added the bug label Dec 23, 2021
ebiggers added a commit that referenced this issue Dec 23, 2021
@ebiggers
cmd/fscrypt: don't load protector in remove-protector-from-policy
6ebd5a5 
Make remove-protector-from-policy work even if the protector cannot be
loaded (for example, due to having been deleted already).

Fixes #258
Fixes #272
@ebiggers
Copy link
Collaborator

#338 will make it possible to use fscrypt remove-protector-from-policy even if the protector no longer exists. It doesn't appear that anything else is actually being asked for here?

@ebiggers ebiggers mentioned this issue Dec 23, 2021
Merged
@kamentomov
Copy link
Author

#338 will make it possible to use fscrypt remove-protector-from-policy even if the protector no longer exists. It doesn't appear that anything else is actually being asked for here?

@ebiggers yes, that's all. Thanks a lot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

cmd/fscrypt: don't load protector in remove-protector-from-policy google/fscrypt
3 participants
@ebiggers @josephlr @kamentomov