Bug#964951: libpam-fscrypt: encrypted home not unlocked in time

Mon, 13 Jul 2020 06:22:15 -0700 

Package: fscrypt
Version: 0.2.9-1
Severity: normal
Tags: patch

Dear Maintainer,

I wanted to use fscrypt to encrypt my home, and unlock it automatically by 
using my
login username/password on a lightDM session. Unlocking does work, but it seems 
some
services, like pulseaudio, fails to start because of reading errors to the 
filesystem.
After my lightdm session is started I can restart the failed services to make 
them work
again. To me it seems the home is not opened "quick enough" for systemd service 
unit.

My default common-session is:
....
# and here are more per-package modules (the "Additional" block)
session    required pam_unix.so
session    optional pam_systemd.so
session    optional pam_fscrypt.so drop_caches lock_policies
# end of pam-auth-update config


My /etc/fscrypt.conf:
{
        "source": "custom_passphrase",
        "hash_costs": {
                "time": "59",
                "memory": "131072",
                "parallelism": "32"
        },
        "options": {
                "padding": "32",
                "contents": "AES_256_XTS",
                "filenames": "AES_256_CTS",
                "policy_version": "2"
        },
        "use_fs_keyring_for_v1_policies": false
}


I can fix this issue temporarily by manually moving fscrypt to a higher 
priority, like so:
...
# and here are more per-package modules (the "Additional" block)
session optional        pam_fscrypt.so drop_caches lock_policies
session required        pam_unix.so
session optional        pam_systemd.so
# end of pam-auth-update config

Doing so makes all user system units start without errors.

Am I on the wrong track, or can we make this permanent for libpam-fscrypt?



-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (940, 'testing'), (920, 'stable'), (910, 'stable-updates'), (900, 
'stable'), (51, 'unstable'), (20, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.7.0-1-amd64 (SMP w/32 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages fscrypt depends on:
ii  libc6     2.30-8
ii  libpam0g  1.3.1-5

fscrypt recommends no packages.

Versions of packages fscrypt suggests:
ii  libpam-fscrypt  0.2.9-1

-- no debconf information

Reply via email to