10

I've set up an encrypted home directory for user piranha3:

root@raspberrypi:~# ecryptfs-verify -u piranha3 -h
INFO: [/home/piranha3/.ecryptfs] exists
INFO: [/home/piranha3/.ecryptfs/Private.sig] exists
INFO: [/home/piranha3/.ecryptfs/Private.sig] contains [2] signatures
INFO: [/home/piranha3/.ecryptfs/Private.mnt] exists
INFO: [/home/piranha3] is a directory
INFO: [/home/piranha3/.ecryptfs/auto-mount] Automount is set
INFO: Mount point [/home/piranha3] is the user's home
INFO: Ownership [piranha3] of mount point [/home/piranha3] is correct
INFO: Configuration valid

But after piranha3 logouts directory is not unmounted:

root@raspberrypi:~# mount | grep ecryptfs
/home/.ecryptfs/piranha3/.Private on /home/piranha3 type ecryptfs (rw,nosuid,nodev,relatime,ecryptfs_fnek_sig=729061d7fa17b3a4,ecryptfs_sig=eb5ec4d9c13e2d74,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)

lsof output:

lsof: WARNING: can't stat() cifs file system /media/cifs
      Output information may be incomplete.
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
      Output information may be incomplete.

System Information:

root@raspberrypi:~# dpkg -l ecryptfs-utils
Deseado=desconocido(U)/Instalar/eliminaR/Purgar/retener(H)
| Estado=No/Inst/ficheros-Conf/desempaqUetado/medio-conF/medio-inst(H)/espera-disparo(W)/pendienTe-disparo
|/ Err?=(ninguno)/requiere-Reinst (Estado,Err: mayúsc.=malo)
||/ Nombre                   Versión           Arquitectura      Descripción
+++-========================-=================-=================-======================================================
ii  ecryptfs-utils           103-5             armhf             ecryptfs cryptographic filesystem (utilities)
root@raspberrypi:~# uname -a
Linux raspberrypi 4.1.13-v7+ #826 SMP PREEMPT Fri Nov 13 20:19:03 GMT 2015 armv7l GNU/Linux

And finally about PAM:

root@raspberrypi:~# grep -r ecryptfs /etc/pam.d
/etc/pam.d/common-session:session       optional        pam_ecryptfs.so unwrap
/etc/pam.d/common-password:password     optional        pam_ecryptfs.so 
/etc/pam.d/common-auth:auth     optional        pam_ecryptfs.so unwrap
/etc/pam.d/common-session-noninteractive:session        optional        pam_ecryptfs.so unwrap

Why is not /home/directory unmounted?

peterh
  • 9,488
  • 16
  • 59
  • 88
sebelk
  • 4,209
  • 10
  • 35
  • 54
  • The `ecryptfs-verify` option `-p` is for a private non-HOME directory, try the `-h, --home` option instead. And do any encrypted homes for any other users work correctly, mount on login & umount on logout, etc? Created with `adduser --encrypt-home` or with `ecryptfs-migrate-home` ? – Xen2050 Dec 28 '15 at 16:11
  • I've edited accordingly. – sebelk Dec 28 '15 at 23:32
  • 1
    @sebelk I'm facing the very same issue with my home folder created with `ecryptfs-migrate-home` in archlinux. I followed the [wiki instructions](https://wiki.archlinux.org/index.php/ECryptfs) for auto-mounting. It is mentioned there that there is a bug with `systemd`, a bug report is filed and [a workaround is provided](http://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/2014-October/004088.html) but I am far from a systemd specialist. – cjorssen Dec 01 '16 at 14:07
  • I believe I found a way that is working for me on Ubuntu 17.04 - Information below.in Answer section. – Mad Man Jul 02 '17 at 05:36
  • I posted answer in another thread. I found a solution to this issue on 16.04 and 18.04. [link to other post.](https://askubuntu.com/questions/910484/encrypted-home-folder-still-accessible-after-logout/1052885#answer-1052885 "link to other post") – redrock Jul 22 '18 at 22:45

2 Answers2

1

Please open a terminal and follow these instructions.

cd /etc/systemd/system
sudo nano ecryptfs-umount-private.service

Enter the content below into the file.

[Unit]
Description=Umount Private directory
Before=systemd-exit.service
DefaultDependencies=no
Requires=shutdown.target
After=shutdown.target

[Service]
Type=oneshot
ExecStart=/usr/bin/ecryptfs-umount-private

[Install]
WantedBy=exit.target

Press Ctrl+X, then press y and Enter key to save the file.

sudo systemctl daemon-reload
sudo systemctl enable ecryptfs-umount-private.service

I have tested this and it is working for me.

One other thing that I did that may or may not help was to edit /etc/systemd/logind.conf and change the line #KillUserProcesses=no to KillUserProcesses=yes.

P.S. I tested this by switching users, logging out, logging back into primary account and then testing with root with ls /home/folder name. I noticed a small delay, however this worked for me on Ubuntu 17.04 with Gnome.

G-Man Says 'Reinstate Monica'
  • 22,130
  • 27
  • 68
  • 117
Mad Man
  • 111
  • 4
1

According to an user at askubuntu it's a known bug: https://askubuntu.com/a/932650. Don't know if it's true or not, but I found a workaround.

I added at the end of my .bash_logout (e.g. vim ~/.bash_logout) following line:

(sleep 10; ecryptfs-umount-private) &

When I logout (ssh connection), I see the message "Sessions still open, not unmounting", but my home-dir gets unmounted/encrypted anyways.

scotty86
  • 139
  • 3