Ubuntu
ecryptfs-utils package

  1. Bug #313812
  2. Comment #19

Comment 19 for bug 313812

Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 313812] Re: umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)

Quoting papukaija (<email address hidden>):
> ** Tags added: jaunty karmic lucid maverick patch
>
> --
> umount of ecryptfs does not automatically clear the keyring (can be mounted by root later)
> https://bugs.launchpad.net/bugs/313812
> You received this bug notification because you are a member of eCryptfs
> Developers, which is subscribed to eCryptfs.
>
> Status in eCryptfs - Enterprise Cryptographic Filesystem: Triaged
> Status in “ecryptfs-utils” package in Ubuntu: Confirmed
> Status in “ecryptfs-utils” source package in Lucid: Confirmed
> Status in “ecryptfs-utils” source package in Maverick: Confirmed
> Status in “ecryptfs-utils” source package in Jaunty: Confirmed
> Status in “ecryptfs-utils” source package in Karmic: Confirmed
> Status in “ecryptfs-utils” package in Fedora: Fix Released
>
> Bug description:
> How to reproduce :
>
> 1) setup a private directory
> 2)
> sudo -s
>
> cd /
>
> mkdir source
>
> mkdir target
>
> cp ~user/.Private/example.pdf source
>
> file /source/example.pdf
> /source/example.pdf: data
>
> mount -t ecryptfs source target
> Passphrase: type anything that is not your passphrase or passwords
> Select cipher:
> 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
> 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
> 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
> 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
> 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
> 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
> Selection [aes]:
> Select key bytes:
> 1) 16
> 2) 32
> 3) 24
> Selection [16]:
> Enable plaintext passthrough (y/n) [n]: n
> Attempting to mount with the following options:
> ecryptfs_key_bytes=16
> ecryptfs_cipher=aes
> ecryptfs_sig=4c748f746abcc24e
> WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
> it looks like you have never mounted with this key
> before. This could mean that you have typed your
> passphrase wrong.
>
> Would you like to proceed with the mount (yes/no)? yes
> Would you like to append sig [4c748f746abcc24e] to
> [/root/.ecryptfs/sig-cache.txt]
> in order to avoid this warning in the future (yes/no)? no
> Not adding sig to user sig cache file; continuing with mount.
> Mounted eCryptfs
>
> file /source/example.pdf
> /source/example.pdf: PDF document, version 1.4

But you're not just logging in as root. You're using sudo which will keep
your keyrings and much of your environment from your user shell. Try the
following instead:

Create a new user. After doing the ecryptfs unmount, 'switch user' (leave
your original user logged in) to the new user, and sudo from that new user.
Then try the ecryptfs mount from that shell. Does it still work?

> Now I know that the files are really encrypted (using a wrong passphrase on
> files copied to another computer makes the file unreadable), but I don't
> understand how root on my system can mount my files without the correct
> passphrase... is the passphrase stored somewhere? This is really strange and
> doesn't give me too much confidence in this technology. Let's hope I

Good! WhatEVER you do, do not trust anything which claims to keep you
safe from root.

> overlooked something.