Fscrypt using login passphrase fails with "could not lock key in memory"

Description:

PAM fscrypt module fails to load keys when logging in from greetd

Additional info:

  • fscrypt 0.3.3-2

Steps to reproduce:

  1. Installed Manjaro Sway (Pinebook Pro) using f2fs with enabled file-based encryption (fscrypt)
  2. Configured fscrypt to encrypt home directory per Fscrypt#Encrypt_a_home_directory Wiki using login passphrase including all /etc/pam.d setup etc
  3. fscrypt unlock works OK when running from command line
  4. Login as the user from greetd login screen works, but the home directory is not decrypted

Enabling debug flag in /etc/pam.d/system-login shows the following course of events - everything seems to be working fine except for the last “could not lock key in memory” part, which is an error message from pam_fscrypt.so:

Mar 23 16:16:18 pine2 pam_fscrypt[529]: CloseSession(map[debug:true]) starting
Mar 23 16:16:18 pine2 pam_fscrypt[529]: invoked for system user "greeter" (969), doing nothing
Mar 23 16:16:18 pine2 pam_fscrypt[529]: CloseSession(map[debug:true]) succeeded
Mar 23 16:16:18 pine2 greetd[529]: pam_unix(greetd:session): session closed for user greeter
Mar 23 16:16:19 pine2 systemd-logind[441]: Session 1 logged out. Waiting for processes to exit.
Mar 23 16:16:19 pine2 pam_fscrypt[721]: OpenSession(map[debug:true]) starting
Mar 23 16:16:19 pine2 pam_fscrypt[721]: Session count for UID=1002 updated to 1
Mar 23 16:16:19 pine2 pam_fscrypt[721]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[]
Mar 23 16:16:19 pine2 pam_fscrypt[721]: Setting euid=1002 egid=1002 groups=[1002 998]
Mar 23 16:16:19 pine2 pam_fscrypt[721]: Current privs (real, effective): uid=(0,1002) gid=(0,1002) groups=[998 1002]
Mar 23 16:16:19 pine2 pam_fscrypt[721]: Reading config from "/etc/fscrypt.conf"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: creating context for user "kravietz2"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: found f2fs filesystem "/" (/dev/mmcblk2p2)
Mar 23 16:16:19 pine2 pam_fscrypt[721]: listing protectors in "/.fscrypt/protectors"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: found 1 protectors (ignored 2 protectors not owned by kravietz2 or root)
Mar 23 16:16:19 pine2 pam_fscrypt[721]: successfully read metadata from "/.fscrypt/protectors/591918b475e41f23"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: Getting protector 591918b475e41f23 from option
Mar 23 16:16:19 pine2 pam_fscrypt[721]: successfully read metadata from "/.fscrypt/protectors/591918b475e41f23"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: listing policies in "/.fscrypt/policies"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: found 2 policies (ignored 1 policies not owned by kravietz2 or root)
Mar 23 16:16:19 pine2 pam_fscrypt[721]: successfully read metadata from "/.fscrypt/policies/56b9083ef73aaf95231c150c5102e379"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: got data for 56b9083ef73aaf95231c150c5102e379 from "/"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: successfully read metadata from "/.fscrypt/policies/43624550d8852608c986b131d3f8959c"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: got data for 43624550d8852608c986b131d3f8959c from "/"
Mar 23 16:16:19 pine2 pam_fscrypt[721]: unlocking 1 policies protected with AUTHTOK
Mar 23 16:16:19 pine2 pam_fscrypt[721]: Setting euid=0 egid=0 groups=[]
Mar 23 16:16:19 pine2 pam_fscrypt[721]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[]
Mar 23 16:16:19 pine2 pam_fscrypt[721]: OpenSession(map[debug:true]) failed: unlocking protector 591918b475e41f23: could not lock key in memory

By default, the memory lock ulimit was set to 8192 bytes. I have increased it in two places:

# /etc/systemd/user.conf
DefaultLimitMEMLOCK=1024000
# /etc/security/limits.conf
* soft memlock unlimited
* hard memlock unlimited

But this didn’t help.

Other relevant files:

# /etc/pam.d/system-login

auth required pam_shells.so
auth requisite pam_nologin.so
auth include system-auth

account required pam_access.so
account required pam_nologin.so
account include system-auth

password include system-auth

session optional pam_loginuid.so
session optional pam_keyinit.so force revoke
session [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet
session optional pam_fscrypt.so debug
session include system-auth
session optional pam_motd.so
session optional pam_mail.so dir=/var/spool/mail standard quiet
-session optional pam_systemd.so
session required pam_env.so user_readenv=1
auth optional pam_fscrypt.so
$ sudo fscrypt status
filesystems supporting encryption: 1
filesystems with fscrypt metadata: 1

MOUNTPOINT DEVICE FILESYSTEM ENCRYPTION FSCRYPT
/ /dev/mmcblk2p2 f2fs supported Yes
/boot /dev/mmcblk2p1 vfat not supported No

This was also reported to Arch (bug #74225) but closed as not being an Arch bug.

But what greeter manager did you install with it? Mind you, there are 3 optional packages you can chose from:

image

It’s greetd-gtkgreet with the following config:

# cat config.toml 
[terminal]
# The VT to run the greeter on. Can be "next", "current" or a number
# designating the VT.
vt = 1

# The default session, also known as the greeter.
[default_session]
# `agreety` is the bundled agetty/login-lookalike. You can replace `$SHELL`
# with whatever you want started, such as `sway`.
command = "sway --config /etc/greetd/sway >> /tmp/sway.log 2>&1"

# The user to run the command as. The privileges this user must have depends
# on the greeter. A graphical greeter may for example require the user to be
# in the `video` group.
user = "greeter"

i don’t think that is how it should be … Please check greetd - ArchWiki

Thanks for the hint - I checked but greeter user seems to be the right one per Greeter_configuration of that Wiki:

By default, greeters are run as the greeter user. This can be changed by editing the user option in the default_session section of the configuration file and replacing another_user with the chosen user: 

I got it working - just need to create the target user with homectl --storage=fscrypt. Why it doesn’t work for regular users, I have no idea.