Hi, I'm trying to encrypt home directory of the user and I can't figure out why fscrypt is not changing key according to user passwd.
- I'm using NixOS; fscrypt version v0.3.6;
ext4 ["noatime" "nodiratime" "discard" "data=journal"] on /home
ext4 [ "noatime" "nodiratime" "discard" "data=writeback" ] on /
fscrypt enabled via security.pam.enableFscrypt = true;
- pam.d
/etc/pam.d/passwd has valid fscrypt:
password optional /nix/store/9zsi9arqmmp7g7shhkvl7wfa7vi3yklf-fscrypt-0.3.6/lib/security/pam_fscrypt.so # fscrypt (order 10300)
I can confirm that hook is triggering correctly, by providing incorrect password to passwd. In this case fscrypt outs record to the journal:
pam_fscrypt[10611]: Chauthtok(map[]) failed: incorrect login passphrase
- .fscrypt
fscrypt setup to provide access for all users.
I have checked that protectors at / and /home are owned by user and rw for owner.
- Now, when I'm changing password for user with passwd, I don't have any record form fscrypt, only
passwd[12001]: pam_unix(passwd:chauthtok): password changed for user
Everything seems fine for now.
But on logout I'm getting:
kernel: fscrypt: nvme1n1p2: 2 inode(s) still busy after removing key with identifier 4ba31d046ce2b95bbab784e186af7b1d, including ino 1192846
I assume that folder was not locked so I'm logging in with root and checking /home/user directory. I can see files and folders with unencrypted names, but content is encrypted (!?) as I can't read any file, receiving 'no key' error.
If I try to login user with the new password I will get OpenSession(map[]) failed: unlocking protector 9159e62dba142d54: incorrect login passphrase;
If I change password back to old one, fscrypt will open user's folder normally. Which is means that protector was not updated.
I have tried to change password with sudo -u user passwd to omit login and avoid 'still busy' error, but it leads to
OpenSession(map[]) failed: unlocking protector 9159e62dba142d54: AUTHTOK data missing: No module specific data is present
So I have 2 questions:
- Is this valid behaviour for fscrypt to lock file content but not lock file names?
- What is preventing fscrypt to update the protector?
Thanks!
Hi, I'm trying to encrypt home directory of the
userand I can't figure out why fscrypt is not changing key according to user passwd.ext4 ["noatime" "nodiratime" "discard" "data=journal"] on /home
ext4 [ "noatime" "nodiratime" "discard" "data=writeback" ] on /
fscrypt enabled via
security.pam.enableFscrypt = true;/etc/pam.d/passwdhas valid fscrypt:password optional /nix/store/9zsi9arqmmp7g7shhkvl7wfa7vi3yklf-fscrypt-0.3.6/lib/security/pam_fscrypt.so # fscrypt (order 10300)I can confirm that hook is triggering correctly, by providing incorrect password to
passwd. In this case fscrypt outs record to the journal:pam_fscrypt[10611]: Chauthtok(map[]) failed: incorrect login passphrasefscrypt setup to provide access for all users.
I have checked that protectors at
/and/homeare owned by user andrwfor owner.passwd[12001]: pam_unix(passwd:chauthtok): password changed for userEverything seems fine for now.
But on logout I'm getting:
kernel: fscrypt: nvme1n1p2: 2 inode(s) still busy after removing key with identifier 4ba31d046ce2b95bbab784e186af7b1d, including ino 1192846I assume that folder was not locked so I'm logging in with root and checking
/home/userdirectory. I can see files and folders with unencrypted names, but content is encrypted (!?) as I can't read any file, receiving 'no key' error.If I try to login
userwith the new password I will getOpenSession(map[]) failed: unlocking protector 9159e62dba142d54: incorrect login passphrase;If I change password back to old one, fscrypt will open user's folder normally. Which is means that protector was not updated.
I have tried to change password with
sudo -u user passwdto omit login and avoid 'still busy' error, but it leads toOpenSession(map[]) failed: unlocking protector 9159e62dba142d54: AUTHTOK data missing: No module specific data is presentSo I have 2 questions:
Thanks!