460958 – Make password change friendly for fscrypt users

Bug 460958 - Make password change friendly for fscrypt users

Summary: Make password change friendly for fscrypt users

Status:	REPORTED

Alias:	None

Product:	systemsettings
Classification:	Applications
Component:	kcm_users (show other bugs)
Version:	unspecified
Platform:	Other Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Plasma Bugs List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-10-24 20:50 UTC by Yevhen Popok
Modified:	2022-10-24 20:50 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Yevhen Popok 2022-10-24 20:50:05 UTC

Fscrypt is a modern alternative for escryptfs (which at some point Ubuntu used for a "home" encryption). After initial setup fscrypt is generally hassle-free largely thanks to it's PAM module.
Password change is automatically handled as well but there's a little caveat:
"Usually, the PAM module pam_fscrypt.so will automatically detect changes to a user's login passphrase and update the user's fscrypt login protector so that they retain access their login-passphrase protected directories. However, sometimes a user's login passphrase can become desynchronized from their fscrypt login protector."
So user shouldn't use sudo or root account for a 'passwd' command, otherwise he will have to update login-passphrase protector manually (or change password back).
Unfortunately fscrypt users which change password with a standard KDE Plasma "System settings" dialogs face the same issue as with "elevated" 'passwd' command. For some reason fscrypt pam module doesn't receive new password so user need to rollback it or update manually with a command (which fscrypt nicely prints on CLI but obviously it's not visible for GUI users)
P.S. I've also tried the same on GNOME 42. There password change with native dialogs happens imperceptibly for fscrypt user.

STEPS TO REPRODUCE
*** Disclaimer: not all distros and filesystems provide fscrypt support yet.
My steps where tested on Kubuntu and KDE Neon with EXT4 filesystem ***
1. Setup and configure fscrypt with a PAM module
a) sudo apt -y install libpam-fscrypt
b) sudo tune2fs -O encrypt "/dev/<root disk device>" # (e,g, /dev/sda2 , /dev/nvme0n1p2 , /dev/vda1 ; check yours with "sudo fisk -l")
c) sudo fscrypt setup
d) mkdir ~/fscrypt
e )sudo fscrypt encrypt ~/fscrypt --user=$USER
f) touch ~/fscrypt/file
- select "1 - Your login passphrase (pam_passphrase)"
- input $USER password

2. Log-out and Log-in
3. Make sure that ~/fscrypt/file gets unlocked after login
4. Try to change user password with a command
passwd $USER
5) Log-out, log-in and make sure that ~/fscrypt/file is still gets unlocked automatically
6) Change user password with "systemsettings" dialogs

OBSERVED RESULT
~/fscrypt/file is encrypted

EXPECTED RESULT
~/fscrypt/file is decrypted

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: KDE Neon 5.26
KDE Plasma Version: 5.26.1
KDE Frameworks Version: 5.99.0
Qt Version: 5.15.6

ADDITIONAL INFORMATION
I've also tried the same on GNOME 42. There password change happens imperceptibly for fscrypt user.