Description:
PAM fscrypt module fails to load keys when logging in from greetd
Additional info:
- fscrypt 0.3.3-2
Steps to reproduce:
- Installed Manjaro Sway (Pinebook Pro) using f2fs with enabled file-based encryption (fscrypt)
- Configured fscrypt to encrypt home directory per
Fscrypt#Encrypt_a_home_directory
Wiki using login passphrase including all /etc/pam.d setup etc - fscrypt unlock works OK when running from command line
- Login as the user from greetd login screen works, but the home directory is not decrypted
Enabling debug flag in /etc/pam.d/system-login shows the following course of events - everything seems to be working fine except for the last “could not lock key in memory” part, which is an error message from pam_fscrypt.so:
Mar 23 16:16:18 pine2 pam_fscrypt[529]: CloseSession(map[debug:true]) starting
Mar 23 16:16:18 pine2 pam_fscrypt[529]: invoked for system user "greeter" (969), doing nothing
Mar 23 16:16:18 pine2 pam_fscrypt[529]: CloseSession(map[debug:true]) succeeded
Mar 23 16:16:18 pine2 greetd[529]: pam_unix(greetd:session): session closed for user greeter
Mar 23 16:16:19 pine2 systemd-logind[441]: Session 1 logged out. Waiting for processes to exit.
Mar 23 16:16:19 pine2 pam_fscrypt[721]: OpenSession(map[debug:true]) starting
Mar 23 16:16:19 pine2 pam_fscrypt[721]: Session count for UID=1002 updated to 1
Mar 23 16:16:19 pine2 pam_fscrypt[721]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[]
Mar 23 16:16:19 pine2 pam_fscrypt[721]: Setting euid=1002 egid=1002 groups=[1002 998]
Mar 23 16:16:19 pine2 pam_fscrypt[721]: Current privs (real, effective): uid=(0,1002) gid=(0,1002) groups=[998 1002]
Mar 23 16:16:19 pine2 pam_fscrypt[721]: Reading config from "/etc/fscrypt.conf"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: creating context for user "kravietz2"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: found f2fs filesystem "/" (/dev/mmcblk2p2)
Mar 23 16:16:19 pine2 pam_fscrypt[721]: listing protectors in "/.fscrypt/protectors"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: found 1 protectors (ignored 2 protectors not owned by kravietz2 or root)
Mar 23 16:16:19 pine2 pam_fscrypt[721]: successfully read metadata from "/.fscrypt/protectors/591918b475e41f23"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: Getting protector 591918b475e41f23 from option
Mar 23 16:16:19 pine2 pam_fscrypt[721]: successfully read metadata from "/.fscrypt/protectors/591918b475e41f23"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: listing policies in "/.fscrypt/policies"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: found 2 policies (ignored 1 policies not owned by kravietz2 or root)
Mar 23 16:16:19 pine2 pam_fscrypt[721]: successfully read metadata from "/.fscrypt/policies/56b9083ef73aaf95231c150c5102e379"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: got data for 56b9083ef73aaf95231c150c5102e379 from "/"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: successfully read metadata from "/.fscrypt/policies/43624550d8852608c986b131d3f8959c"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: got data for 43624550d8852608c986b131d3f8959c from "/"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: unlocking 1 policies protected with AUTHTOK
Mar 23 16:16:19 pine2 pam_fscrypt[721]: Setting euid=0 egid=0 groups=[]
Mar 23 16:16:19 pine2 pam_fscrypt[721]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[]
Mar 23 16:16:19 pine2 pam_fscrypt[721]: OpenSession(map[debug:true]) failed: unlocking protector 591918b475e41f23: could not lock key in memory
By default, the memory lock ulimit was set to 8192 bytes. I have increased it in two places:
# /etc/systemd/user.conf
DefaultLimitMEMLOCK=1024000
# /etc/security/limits.conf
* soft memlock unlimited
* hard memlock unlimited
But this didn’t help.
Other relevant files:
# /etc/pam.d/system-login
auth required pam_shells.so
auth requisite pam_nologin.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_loginuid.so
session optional pam_keyinit.so force revoke
session [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet
session optional pam_fscrypt.so debug
session include system-auth
session optional pam_motd.so
session optional pam_mail.so dir=/var/spool/mail standard quiet
-session optional pam_systemd.so
session required pam_env.so user_readenv=1
auth optional pam_fscrypt.so
$ sudo fscrypt status
filesystems supporting encryption: 1
filesystems with fscrypt metadata: 1
MOUNTPOINT DEVICE FILESYSTEM ENCRYPTION FSCRYPT
/ /dev/mmcblk2p2 f2fs supported Yes
/boot /dev/mmcblk2p1 vfat not supported No
This was also reported to Arch (bug #74225) but closed as not being an Arch bug.