Keys not flushed from cache after logout

[seebaclo]

There is known issue that keys aren't cleared from inode cache automatically after user session is closed. See here

Other issues include the filesystem cache that is not invalidated when the key is unlinked and still lets you see the plaintext filenames.

and here (same author)

Plaintext filenames still appear after detaching the key

That is a kernel issue. The dentries cache is not invalidated when you remove the key and still contains the plaintext filenames.

You must remount the device or force a filesystem cache flush with:

# echo 2 > /proc/sys/vm/drop_caches

During my tests it not only shows filenames as plaintext but their context too. You can see all keys in /proc/keys directory. keyctl show command display only keys set from current session.

Actual remedy for this is executing # sync && echo 2 > /proc/sys/vm/drop_caches command as described above. It may need executing as sync && echo 2 | sudo tee /proc/sys/vm/drop_caches in case of insufficient permissions. See here for avalaible documentation. According to this executing this command is only an one-off and hasn't any further consequences for running system.

The only question is, does pam_e4crypt has capability to taking care of this (flushing caches after session close) or some external tools have to be involved?

[neithernut]

We can implement pam_sm_close_session(). Assuming that the program invoking the function does have the rights necessary, dropping caches is pretty straight forward.