我在 xubuntu 中登录和解密我的主文件夹时遇到问题。当我尝试登录时,屏幕闪烁,什么也没发生。当时的系统日志信息:
Aug 7 15:22:20 xu sudo: pam_ecryptfs: Passphrase file wrapped
Aug 7 15:22:20 xu sudo: pam_ecryptfs: Unable to rewrap passphrase file
Aug 7 15:22:20 xu sudo: Failed to detect wrapped passphrase version: Permission denied
Aug 7 15:22:20 xu sudo: Error attempting to unwrap passphrase from file [/home/sergei/.ecryptfs/wrapped-passphrase]; rc = [-13]
Aug 7 15:22:20 xu sudo: pam_ecryptfs: Error adding passphrase key token to user session keyring; rc = [-5]
Aug 7 15:23:06 xu lightdm: pam_ecryptfs: Passphrase file wrapped
Aug 7 15:23:06 xu lightdm: pam_ecryptfs: Unable to rewrap passphrase file
Aug 7 15:23:06 xu lightdm: Failed to detect wrapped passphrase version: Permission denied
Aug 7 15:23:06 xu lightdm: Error attempting to unwrap passphrase from file [/home/sergei/.ecryptfs/wrapped-passphrase]; rc = [-13]
Aug 7 15:23:06 xu lightdm: pam_ecryptfs: Error adding passphrase key token to user session keyring; rc = [-5]
Aug 7 15:23:07 xu systemd[1]: Started Session c6 of user sergei.
Aug 7 15:23:07 xu lightdm[2973]: Signature not found in user keyring
Aug 7 15:23:07 xu lightdm[2973]: Perhaps try the interactive 'ecryptfs-mount-private'
Aug 7 15:23:07 xu lightdm[2973]: Error writing X authority: Failed to open X authority /home/sergei/.Xauthority: Permission denied
Aug 7 15:23:07 xu acpid: client 3689[0:0] has disconnected
Aug 7 15:23:07 xu acpid: client connected from 3897[0:0]
Aug 7 15:23:07 xu acpid: 1 client rule loaded
Aug 7 15:23:07 xu systemd[1]: Started Session c7 of user lightdm.
我能够通过 Ctl+Alt+F1 控制台登录,因此我决定手动挂载我的主目录。但收到一个错误:
sergei@xu:~$ ecryptfs-mount-private
Enter your login passphrase:
Error: Unwrapping passphrase and inserting into the user session keyring failed [-5]
Info: Check the system log for more information from libecryptfs
ERROR: Your passphrase is incorrect
Enter your login passphrase:
系统日志:
Aug 7 15:30:49 xu ecryptfs-insert-wrapped-passphrase-into-keyring: Failed to detect wrapped passphrase version: Permission denied
Aug 7 15:30:49 xu ecryptfs-insert-wrapped-passphrase-into-keyring: Error attempting to unwrap passphrase from file [/home/sergei/.ecryptfs/wrapped-passphrase]; rc = [-13]
我尝试检查我的密码:
sergei@xu:~$ ecryptfs-unwrap-passphrase
Passphrase:
Error: Unwrapping passphrase failed [-13]
Info: Check the system log for more information from libecryptfs
系统日志:
Aug 7 15:28:47 xu ecryptfs-unwrap-passphrase: Failed to detect wrapped passphrase version: Permission denied
但在 root 下 unwrap-passphrase 工作正常:
sergei@xu:~$ sudo ecryptfs-unwrap-passphrase /home/sergei/.ecryptfs/wrapped-passphrase
Passphrase:
mypassphrase_here
好吧,我没有忘记密码。输出与我输入的短语相同。不过,输出不是那么长的随机短语,那是很久以前自动生成的。出现这些问题后,我决定以不同的方式安装它:
sergei@xu:~$ ecryptfs-add-passphrase --fnek
Passphrase:
Inserted auth tok with sig [e94f5149955202f3] into the user session keyring
Inserted auth tok with sig [6a7465b6ae998f18] into the user session keyring
sergei@xu:~$ sudo mount -t ecryptfs /home/sergei/.Private /mnt/
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [e94f5149955202f3]: 6a7465b6ae998f18
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=6a7465b6ae998f18
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=e94f5149955202f3
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.
Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [e94f5149955202f3] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : no
Not adding sig to user sig cache file; continuing with mount.
Mounted eCryptfs
如上所示,我收到了错误并忽略了它。但在挂载的目录中只有一堆 ECRYPTFS_FNEK_ENCRYPTED 文件。我尝试恢复我的目录,但收到错误并且没有系统日志信息:
sergei@xu:~$ sudo ecryptfs-recover-private
INFO: Searching for encrypted private directories (this might take a while)...
INFO: Found [/home/.ecryptfs/sergei/.Private].
Try to recover this directory? [Y/n]: y
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] y
INFO: Enter your LOGIN passphrase...
Passphrase:
Inserted auth tok with sig [e94f5149955202f3] into the user session keyring
ERROR: The key required to access this private data is not available.
我再次尝试,但这次我说我没有登录密码,并输入了那个很长的随机密码:
sergei@xu:~$ sudo ecryptfs-recover-private
INFO: Searching for encrypted private directories (this might take a while)...
INFO: Found [/home/.ecryptfs/sergei/.Private].
Try to recover this directory? [Y/n]: y
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] n
INFO: To recover this directory, you MUST have your original MOUNT passphrase.
INFO: When you first setup your encrypted private directory, you were told to record
INFO: your MOUNT passphrase.
INFO: It should be 32 characters long, consisting of [0-9] and [a-f].
Enter your MOUNT passphrase:
INFO: Success! Private data mounted at [/tmp/ecryptfs.4qCNYRo6].
但是,/tmp/ecryptfs.4qCNYRo6
又出现了一堆 ECRYPTFS_FNEK_ENCRYPTED 文件。
那么,我应该怎么做才能解决我的问题?我真的不想丢失我的主目录。
答案1
当我在 Ubuntu 16.04 LTS 上安装 Manjaro 时,我遇到了同样的错误日志。我的 /home 分区位于其自己的分区上,并且我的主文件夹 /home/simon 使用 Ubuntu 安装程序通过 ecryptfs 加密。
我很快注意到,Manjaro 安装没有像它应该的那样创建我的用户帐户,登录名为“simon”。相反,它变成了 UID 1000 上的“simonw”。使用 useradd 创建名为“simon”的用户并没有立即起作用,但我不得不更改“simon”的 UID,以获得Arch wiki 中的 PAM 自动安装上班。
我通过交换“simon”和“simonw”的 UID 和 GID 解决了这个问题。例如:
# Starting with simonw (1000,1000) and simon (1001,1001) UIDs and GIDs. Both sudoers.
# Log in as simon
usermod -u 1011 simonw
usermod -g 1001 simonw
# Log in as simonw
usermod -u 1000 simon
usermod -g 1000 simon
# simon could now decrypt and auto-mount the home-folder /home/simon
# Delete simonw, or whatever.
TLDR;检查尝试解密主文件夹的 UID 是否与拥有原始包装密码的 UID 相同。
我希望这可以为某些人提供未来的参考,即使这个问题现在已经过时了。在网络上搜索错误消息时,这个问题仍然排名很高。
答案2
也许您可以在恢复模式下启动,或者使用另一个 Ubuntu 系统的 USB 驱动器启动,然后尝试此处描述的操作:如何在另一台 Ubuntu 机器上挂载加密的 /home 目录?
我会先备份 /home/.ecryptfs/sergei/.Private。