I'd like to be able to run a script, have it prompt me for my password, and then mount an ecryptfs directory. I do not want the password to sit around on the file system, or show up in logs, ps, etc. I thought I could use a temporary file descriptor for this; however, ecryptfs returns an error with the following statements.
willi@hostname:~$ exec 3<<<"passphrase_passwd="$(zenity --password)
willi@hostname:~$ sudo mount -t ecryptfs -o ecryptfs_cipher=aes,\
ecryptfs_key_bytes=16,ecryptfs_passthrough=no,\
ecryptfs_enable_filename_crypto=y,ecryptfs_fnek_sig=1234678765432345678,\
key=passphrase:passphrase_passwd_fd=3 /mountpoint/ /mountpoint/
Error attempting to evaluate mount options: [-1] Operation not permitted
Check your system logs for details on why this happened.
Try updating your ecryptfs-utils package, and/or
submit a bug report on https://bugs.launchpad.net/ecryptfs
After the error is returned, I can verify that ecryptfs did not read the file descriptor, because the password is still sitting in it:
willi@hostname:~$ cat <&3
passphrase_passwd=test
I reviewed the approach in encryptfs auto-mounting script; though I'd like to avoid having the password in a file on the file system.
I'm using version 103 of ecryptfs-utils:
willi@hostname:~$ ecryptfsd --version
ecryptfsd (ecryptfs-utils) 103
This is free software. You may redistribute copies of it under the terms of
the GNU General Public License <http://www.gnu.org/licenses/gpl.html>.
There is NO WARRANTY, to the extent permitted by law.
How can I use the temporary file descriptor with ecryptfs?
Turns out the issue was the fact that I was running
zenityas a normal user, and then usingsudoto execute the mount command. When I stuck both commands in a script and ran the entire script as root, things worked perfectly.