Bug 200386

Summary:	sys-fs/ecryptfs-utils-30 is broken
Product:	Gentoo Linux	Reporter:	Paul Hewlett <paul>
Component:	New packages	Assignee:	Charlie Shepherd (RETIRED) <masterdriverz>
Status:	RESOLVED WORKSFORME
Severity:	normal	CC:	crypto+disabled
Priority:	High
Version:	2007.0
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Paul Hewlett 2007-11-26 10:47:52 UTC

I got ecryptfs working at my house successfully using ecryptfs-18. However at my place of work ecryptfs is broken.Investigation shows this is ecryptfs-30 - unfortunately the maintainer has removed ecryptfs-18 so I cannot downgrade.
The symptoms are :
             ecryptfs-manager does not offer the passphrase option as well as openssl (ecryptfs-18 always offered both openssl and passphrase when creating a new public/private key pair)
             selecting openssl results in a prompt of the key location and then for the passphrase. entreing the passphrase once goes back to the main menu (ecryptfs-18 asked for verification). The location where the keyfile is meant to be stored is *not* created (/root/.ecryptfs/pki/openssl/key.pem?).
             starting ecryptfsd gets an error about not being able to load the 
gpg module. From the system log:

Nov 26 12:26:17 phantom ecryptfsd: Starting eCryptfs userspace netlink daemon [15247]
Nov 26 12:26:17 phantom ecryptfsd: eCryptfs netlink socket was successfully initialized
Nov 26 12:26:17 phantom ecryptfsd: Error initializing key module [/usr/lib/ecryptfs/libecryptfs_key_mod_gpg.so]; rc = [-22]

and when starting ecryptfs-manager:

Nov 26 12:09:25 phantom ecryptfs-manager: Error initializing key module [/usr/lib/ecryptfs/libecryptfs_key_mod_gpg.so]; rc = [-22]
Nov 26 12:09:25 phantom ecryptfs-manager: Key module [passphrase] does not have a key generation subgraph transition node
Nov 26 12:09:41 phantom ecryptfs-manager: Failed to open file for reading
Nov 26 12:09:41 phantom ecryptfs-manager: Error writing key to file; rc = [-5]
Nov 26 12:09:41 phantom ecryptfs-manager: tf_ecryptfs_openssl_gen_key_param_node_passphrase: Error generating key to file [/root/.ecryptfs/pki/openssl/key.pem]; rc = [-5]


phantom ecryptfs-utils # emerge --info
Portage 2.1.3.19 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.22-gentoo-r9 i686)
=================================================================
System uname: 2.6.22-gentoo-r9 i686 Intel(R) Pentium(R) 4 CPU 3.20GHz
Timestamp of tree: Wed, 21 Nov 2007 14:46:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.5, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium4 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib/fax /var/bind /var/spool/fax/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=pentium4 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LINGUAS="en en_ZA en_US af_ZA en_ZA st_ZA xh_ZA zu_ZA en_GB"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsyncproxy/gentoo-portage"
USE="acl acpi alsa apache2 arts berkdb bitmap-fonts cairo cdr cgi cli cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss encode esd evo fam firefox fortran gdbm gif gpm gstreamer hal iconv ipv6 isdnlog java java5 javascript jingle jpeg ldap mad mbrola midi mikmod mp3 mpeg mudflap ncurses nfs nls nptl nptlonly ogg opengl openmp openssl oss pam pcre pdf pdo perl php png ppds pppd python quicktime readline reflection sdl session snmp spell spl sqlite sqlite3 ssl svg tcpd threads tiff truetype truetype-fonts type1-fonts unicode usb vorbis win32codecs x86 xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_ZA en_US af_ZA en_ZA st_ZA xh_ZA zu_ZA en_GB" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

phantom ecryptfs-utils #

Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev

2007-11-26 10:59:42 UTC

How do you currently use ecryptfs?

Comment 2 Paul Hewlett 2007-11-26 11:44:54 UTC

(In reply to comment #1)
> How do you currently use ecryptfs?
> 
I am trying out backing up to an external disk - I set up a key with a passphrase and mount the disk using:

        EDIR=/root/.ecryptfs/pki/openssl
        KEY="key=openssl:keyfile=${EDIR}/key.pem"
        PASS="passfile=${EDIR}/pass"
        CIPHER="cipher=aes"
        EBYTES="ecryptfs_key_bytes=32"
        THRU="passthrough=no"
        ARGS="${KEY},${CIPHER},${EBYTES},${THRU},${PASS}"
        mount -t ecryptfs -o "${ARGS}" /${USBDISK} /${USBDISK}
        if [ $? -ne 0 ]
        then
                log "Unable to mount encrypted ${USBDISK} ..."
                exit 1
        fi

[I will eventually move the keys to another external USB key.]

I then run an rsync to copy the backups to the external drive. We have 3 external drives which are rotated every day - at least one is mandated to be offsite.

Incidentally, I tried downloading the source tarball from ecryptfs.sourceforge.net - the ecryptfs-30 package also failed - the -18 worked so it appears to be a problem with the original source...

Comment 3 Alon Bar-Lev (RETIRED) gentoo-dev

2007-11-26 11:56:58 UTC

This is not passphrase method but openssl.
Please unset gpg USE flag and set openssl USE flag.
Then see if you get these two modules when you use ecryptfs-manager.

Please also attach the log of /var/log/messages with you fail to mount.

Comment 4 Paul Hewlett 2007-11-26 12:15:09 UTC

(In reply to comment #3)
> This is not passphrase method but openssl.
> Please unset gpg USE flag and set openssl USE flag.
> Then see if you get these two modules when you use ecryptfs-manager.
> 
> Please also attach the log of /var/log/messages with you fail to mount.
> 

Yes I know that is not passphrase method. ecryptfs-manager is broken - I have just subscribed to the ecryptfs mailing list and someone else has also described a similar problem - to re-iterate in V18 selecting option 3 then gives you 2 further options 1-passphrase and 2 openssl. V30 only gives you one option 1 -openssl. If you select openssl in either V18 or V30 you get a prompt for the passphrase. In V18 you subsequently get a prompt to confirm the passphrase - in V30 no such prompt appears and you return to the main menu of ecryptfs-manager. In V30 if you select option 3 again you get 2 options both of which are openssl. If you repeat this cycle the next iteration gives you three options all opensssl and so on ad nauseam. Also V30 does not create any keyfiles in the requested directory. (usually /root/.ecryptfs/pki/openssl/key.pem). So ecryptfs-manager in V30 is seriously non-functional - V18 works like a charm.
I already disabled gpg. openssl is already set (it does not have to be set globally).

I did not even attempt to mount because there seemed no point if the key.pem file did not exist.

I have subsequently downgraded to V18 via the source tarball and everything works as expected.

Comment 5 Paul Hewlett 2007-11-26 12:40:52 UTC

(In reply to comment #4)
> (In reply to comment #3)

Additional info when using ecryptfs-18 from source.

Syslog when loading ecryptfs-manager:

Nov 26 14:27:01 phantom ecryptfs-manager: Preferring [/usr/lib/ecryptfs/libecryptfs_pki_passphrase.so] file over built-in module for key module with name [passphrase]

Syslog when loading ecryptfsd:

Nov 26 14:28:21 phantom ecryptfsd: Starting eCryptfs userspace netlink daemon [6337]
Nov 26 14:28:21 phantom ecryptfsd: eCryptfs netlink socket was successfully initialized
Nov 26 14:28:21 phantom Received request from user [0] to register daemon [6337]; unregistering daemon [26632]
Nov 26 14:28:21 phantom ecryptfsd: Preferring [/usr/lib/ecryptfs/libecryptfs_pki_passphrase.so] file over built-in module for key module with name [passphrase]
Nov 26 14:28:21 phantom ecryptfsd: Received eCryptfs netlink QUIT message from the kernel
Nov 26 14:28:21 phantom ecryptfs_process_quit: Received request from user [0] with pid [26632] to unregister daemon [6337]
Nov 26 14:28:21 phantom Error processing QUIT message; rc = [-22]
Nov 26 14:28:21 phantom ecryptfs_receive_nl_message: Failed to fulfill QUIT request
Nov 26 14:28:21 phantom ecryptfsd: eCryptfs netlink socket was successfully released
Nov 26 14:28:21 phantom ecryptfsd: ecryptfsd_exit: Closing eCryptfs userspace netlink daemon [26632]

Syslog when mounting external drive:

Nov 26 14:32:46 phantom mount.ecryptfs: Preferring [/usr/lib/ecryptfs/libecryptfs_pki_passphrase.so] file over built-in module for key module with name [passphrase]
Nov 26 14:32:46 phantom mount.ecryptfs: add_public_key_key_to_keyring: Deprecated; use ecryptfs_add_key_module_key_to_keyring() instead
Nov 26 14:32:46 phantom ivman: Device /dev/sdc1 appears to be mountable
Nov 26 14:32:46 phantom ecryptfs_parse_options: eCryptfs: unrecognized option 'passfile=/root/.ecryptfs/pki/openssl/pass'

This mount is successful despite the warning about unrecognized option

Comment 6 Alon Bar-Lev (RETIRED) gentoo-dev

2007-12-14 18:15:00 UTC

OK.
I added a patch for this at version 33, please try again and see if it works for you.
Thanks!

Comment 7 Alon Bar-Lev (RETIRED) gentoo-dev

2007-12-19 20:21:54 UTC

Please reopen if you have comments.