Quantcast

encrypted home dir tale of woe :-)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

encrypted home dir tale of woe :-)

Karl Auer
Hi all.

Here's a cautionary tale about encrypted home dirs with maverick.

Installing maverick, I thought I would encrypt my home directory. As
part of the process, I was given a long string of hex digits and told to
take good care of it, so I did - I wrote it down in two locations and
checked them very carefully.

Everything worked fine. A week later, I wanted to change my password, so
I did. Everything still worked fine. Except that not two hours later I
had managed to forget my new password. Argh! Idiot!

No problem, I thought - I'll just reboot into recovery mode and set my
password anew. Did so - but although I could log in with my new
password, it did not unlock my home directory. Oh dear. Clearly the
login password and the encryption key are not directly related. Not sure
why I imagined they would be.

The result on logging in was a bit sad - Nautilus would not start!

No problem, I thought - I'll go get that long string of hex digits that
I so carefully recorded and unlock my home directory the hard way. So I
did that - but the passphrase was not accepted by
ecryptfs-unwrap-passphrase. Yes, I typed it correctly. I would swear
blind that I had written it down correctly too. But I suppose I must not
have.

Ok, so I checked the FAQ:

   Q: What do I do if I have lost my password/passphrase?
   A: Nothing, you're screwed.

So I reinstalled my home dir. Because I back up regularly, I didn't lose
much - only about a days' worth of saved emails.

From this I have learned the following lessons:

- be extraordinarily careful in preserving that passphrase
- test it to make certain you have in fact recorded it correctly
- test a change of password before you use your new encrypted home dir
- backups are good :-)

And I have an open question: If I'd changed my password from inside
Nautilus rather than just using "passwd" on the command line, would it
have done something behind the scenes to allow my home dir to decrypt
using the new password? Or would I have ended up with the same problem?

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])                   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/                   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: encrypted home dir tale of woe :-)

Marius Gedminas-2
On Sat, Jan 01, 2011 at 12:54:58PM +1100, Karl Auer wrote:
> Here's a cautionary tale about encrypted home dirs with maverick.

(Summary: Change password via an unspecified method, everything works.
Forget new password, reset it with sudo passwd $user -> boom, home dir
not mountable.)

I may be wrong, but IIRC the encryption passphrase is stored in the
GNOME keyring, which is protected by a keyring password.  By default the
password is the same as your login password.

When you change your login password (via any method), a PAM module
(pam_gnome_keyring.so) tries to change your keyring password too, to
match your new login password.  It can only do that if it knows your old
password, so when you do

  $ passwd
  Password: (old)
  New password: (new)
  Repeat password: (new)

everything works fine, but when you force the password setting as root

  # passwd $username
  New password: (new)
  Repeat password: (new)

there's nothing pam_gnome_keyring can do.  This is a design thing: the
keyring is encrypted with the keyring password, so that nobody can
access any data inside it if they get the encrypted file.  If you forget
the password, you lose your keyring, and the filesystem encryption
passphrase with it.

> And I have an open question: If I'd changed my password from inside
> Nautilus rather than just using "passwd" on the command line, would it
> have done something behind the scenes to allow my home dir to decrypt
> using the new password? Or would I have ended up with the same problem?

When you say Nautilus, I assume you mean the GNOME "About Me" dialog?
There's an open bug against it:

  https://bugzilla.gnome.org/show_bug.cgi?id=616703
  https://bugs.launchpad.net/gnome-keyring/+bug/416825
  https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/268731

so, no, it appears that changing the password that way is a sure way to
lose access to your encrypted home directory.  Unless you change the
password back.

To summarize:

  $ passwd as user --> safe
  # passwd as root --> breaks access to encrypted homes
  $ gnome-about-me --> breaks access to encrypted homes


Disclaimer: I don't use encrypted home directories myself, and I haven't
performed any experiments to verify these conclusions.  If someone knows
better, please say so!

Marius Gedminas
--
Cheap, Fast, Good -- pick two.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

signature.asc (197 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: encrypted home dir tale of woe :-)

Karl Auer
On Sun, 2011-01-02 at 11:35 +0200, Marius Gedminas wrote:
> there's nothing pam_gnome_keyring can do.  This is a design thing: the
> keyring is encrypted with the keyring password, so that nobody can
> access any data inside it if they get the encrypted file.  If you forget
> the password, you lose your keyring, and the filesystem encryption
> passphrase with it.

Losing my keyring was not a problem - I had all the keys that would have
been stored within it, and the login password is by definition external
to it. The problem was that the forgotten password was *also* the key to
the encrypted dir.

Upon encrypting my home dir during the Maverick install, I was given a
long hex passphrase to store safely. I was informed that this would
allow decryption of my home dir if my login password ever got lost. I
seem to recall it actually saying that the encryption key was normally
the login password.

So I'm fairly sure that your theory is incorrect, though I appreciate
the thought :-)

What irritates me most is that the passphrase did not work. I realise
there is no way now to prove it, but I am pretty much certain I neither
recorded it incorrectly nor entered it incorrectly.

> When you say Nautilus, I assume you mean the GNOME "About Me" dialog?

Yes.

> There's an open bug against it:
>
>   https://bugzilla.gnome.org/show_bug.cgi?id=616703
>   https://bugs.launchpad.net/gnome-keyring/+bug/416825
>   https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/268731

I'm not so sure this is a bug, but whichever way it is supposed to work
it should do so consistency.

> so, no, it appears that changing the password that way is a sure way to
> lose access to your encrypted home directory.

Again, you sequence you describe does indeed lose the encrypted dir IFF
you no longer have the old password to unlock the keyring AND you don't
have the original passphrase.

> To summarize:
>
>   $ passwd as user --> safe
>   # passwd as root --> breaks access to encrypted homes
>   $ gnome-about-me --> breaks access to encrypted homes

I think that should be "breaks access to keyring" - but even then it's
only if you've actually lost the original keyring password. If you
haven't, you cam use the appropriate utility to set the keyring password
to match your login password (which should arguably be automatic).

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])                   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/                   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: encrypted home dir tale of woe :-)

Marius Gedminas-2
On Sun, Jan 02, 2011 at 09:35:16PM +1100, Karl Auer wrote:

> On Sun, 2011-01-02 at 11:35 +0200, Marius Gedminas wrote:
> > there's nothing pam_gnome_keyring can do.  This is a design thing: the
> > keyring is encrypted with the keyring password, so that nobody can
> > access any data inside it if they get the encrypted file.  If you forget
> > the password, you lose your keyring, and the filesystem encryption
> > passphrase with it.
>
> Losing my keyring was not a problem - I had all the keys that would have
> been stored within it, and the login password is by definition external
> to it. The problem was that the forgotten password was *also* the key to
> the encrypted dir.
Ah, you're right, ecryptfs doesn't depend on the GNOME keyring -- it
has its own PAM module and stores its own passphrase in
~/.ecryptfs/wrapped-passphrase, and loads it into the kernel keyring
(that I didn't even know existed until now) on login.

/usr/share/doc/ecryptfs-utils/ecryptfs-pam-doc.txt.gz says:

  When the user changes his login credentials, the eCryptfs PAM module
  unwraps the mount passphrase in ~/.ecryptfs/wrapped-passphrase with
  the user's old passphrase and rewraps the mount passphrase into
  ~/.ecryptfs/wrapped-passphrase with the user's new passphrase.

so it looks like it works the same way as pam_gnome_keyring, with the
same implications.

Although... all the docs in ecryptfs seem to talk about ~/Private/,
while you're talking about encrypted home.  I wonder if the same
mechanism is used for both?

> Upon encrypting my home dir during the Maverick install, I was given a
> long hex passphrase to store safely. I was informed that this would
> allow decryption of my home dir if my login password ever got lost.

Right.

> What irritates me most is that the passphrase did not work. I realise
> there is no way now to prove it, but I am pretty much certain I neither
> recorded it incorrectly nor entered it incorrectly.

That would be a pretty serious bug.  Have you looked for it on
Launchpad?

Or you could try it again, now that you know both the password and the
passphrase, after, e.g., booting from a CD.

(Testing these things is much easier when only ~/Private is encrypted,
and the rest of ~/ is always accessible.)

Marius Gedminas
--
Please do not even think about automatically normalizing file names
anywhere. There is absolutely no need for introducing such nonsense, and
deviating from the POSIX requirement that filenames be opaque byte
strings is a Bad Idea[TM] (also known as NTFS).
        -- Markus Kuhn

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

signature.asc (197 bytes) Download Attachment
Loading...