ecryptfs: drop

[Sigmanificient]

While looking into python2 remaining bits, i come across this package, and it seems appropriate to remove it.

ecryptfs hasn't been updated sine May 2016, and seems to have questionable maintenance, which is a huge security concern for a filesystem. ecryptfs-helper was also dropped a while ago.

Things done

• Built on platform:
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• Tested, as applicable:
  • NixOS tests in nixos/tests.
  • Package tests at passthru.tests.
  • Tests in lib/tests or pkgs/test for functions and "core" functionality.
• Ran nixpkgs-review on this PR. See nixpkgs-review usage.
• Tested basic functionality of all binary files, usually in ./result/bin/.
• Nixpkgs Release Notes
  • Package update: when the change is major or breaking.
• NixOS Release Notes
  • Module addition: when adding a new NixOS module.
  • Module update: when the change is significant.
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

---

Add a 👍 reaction to pull requests you find important.

[Sigmanificient]

ugh

[phanirithvij]

I think its an issue with how nix.conf was setup by nixpkgs-review-gha. Let me see if I can fix that.

I don't know about darwin and linux-builder on darwin etc. I will try to fix the aarch64-linux tests.

[phanirithvij]

nixpkgs-review result

Generated using nixpkgs-review-gha

Command: nixpkgs-review pr 479934
Commit: 393e901437caa3cbc7753471b8f5e4c7168f1c7b (subsequent changes)
Merge: 6a038dd39118d2ef1a4d75b240ee7e8543320b50

Logs: https://github.com/phanirithvij/nixpkgs-review-gha/actions/runs/20984743938

---

x86_64-linux

⏩ 2 packages blacklisted:

• nixos-install-tools
• tests.nixos-functions.nixos-test

✅ 1 test built:

• nixosTests.simple

✅ 5 packages built:

• tests.devShellTools.nixos
• tests.testers.lycheeLinkCheck.network
• tests.testers.nixosTest-example
• tests.testers.runNixOSTest-example (tests.testers.runNixOSTest-extendNixOS)
• tests.trivial-builders.references

---

aarch64-linux

⏩ 2 packages blacklisted:

• nixos-install-tools
• tests.nixos-functions.nixos-test

❌ 1 package failed to build:

• tests.devShellTools.nixos

✅ 1 test built:

• nixosTests.simple

✅ 4 packages built:

• tests.testers.lycheeLinkCheck.network
• tests.testers.nixosTest-example
• tests.testers.runNixOSTest-example (tests.testers.runNixOSTest-extendNixOS)
• tests.trivial-builders.references

---

Error logs: `aarch64-linux`

tests.devShellTools.nixos

docker # Creating layer 55 from paths: ['/nix/store/sbbffcm8ad1linmjywplw55n26baj2mz-readline-8.3p1']
docker # Creating layer 56 from paths: ['/nix/store/59aknb3vsvalvrk4229phnj2rpygblz8-file-5.45']
docker # Creating layer 57 from paths: ['/nix/store/h4qhxh7vwmxgy6w05g0xsf6r1bfi9vga-gcc-15.2.0-lib']
docker # Creating layer 58 from paths: ['/nix/store/g89117ncqs6v3zz93kan4p4g7w21z07r-patchelf-0.15.2']
docker # Creating layer 59 from paths: ['/nix/store/1qhz8fshzn41sk26pyvc30cpg7b837cf-gmp-with-cxx-6.3.0']
docker # Creating layer 60 from paths: ['/nix/store/w5qwv2s934nra3g415gf9n313ml78yhy-glibc-2.40-66-dev']
docker # Creating layer 61 from paths: ['/nix/store/843ahdalwl120986c7ilk5q1c47biyap-coreutils-9.8']
docker # Creating layer 62 from paths: ['/nix/store/rlgii39vy2cp7y4rgxz6l0bl7115nk7a-bash-interactive-5.3p3']
docker # Creating layer 63 from paths: ['/nix/store/hv6gcw97kwplq9xv7k7yhlvc045lfx3b-diffutils-3.12']
docker # Creating layer 64 from paths: ['/nix/store/wzvrzvqd1b1agqw9wfpi2gl3xsg5vvzp-findutils-4.10.0']
docker # Creating layer 65 from paths: ['/nix/store/nlxa1ass5flbb1kc0ixcfi8pkv11rc4c-nix-shell-rc']
docker # Creating layer 66 from paths: ['/nix/store/znvh67v02h7ql04r37kc3rj6935a66v8-binutils-2.44']
docker # Creating layer 67 from paths: ['/nix/store/2lhdrjxy65h7fl184q4751lgqzhqrsa2-binutils-wrapper-2.44']
docker # Creating layer 68 from paths: ['/nix/store/sbfrl6127w424l34lsq0lzryibq1226j-gcc-15.2.0']
timeout reached; test terminating...
kill machine (pid 9)
qemu-system-aarch64: terminating on signal 15 from pid 6 (/nix/store/y88crn50yx35fiiwcjx6xqwi6ahk7mlq-python3-3.13.11/bin/python3.13)
vde_switch: EOF data port: Interrupted system call
vde_switch: EOF on stdin, cleaning up and exiting
Terminated                 /nix/store/44m8msqzwfp906mw2xcxj7f1gdqf7mzz-nixos-test-driver-docker-tools-nix-shell/bin/nixos-test-driver -o $out

---

x86_64-darwin (sandbox = true)

❌ 2 packages failed to build:

• darwin.linux-builder (darwin.linux-builder-x86_64)
• nixosTests.simple

---

aarch64-darwin (sandbox = true)

❌ 3 packages failed to build:

• darwin.linux-builder
• darwin.linux-builder-x86_64
• nixosTests.simple

[doronbehar]

Changes look good to me. Let's try to figure out what's up with the nixpkgs-review potentially false failures.

[Sigmanificient]

Added the mkRemovedOptionModule for programs.ecryptfs and security.pam.enableEcryptfs

[SigmaSquadron]

Looks good to me! Let's hope that the nixpkgs-review failures are flukes and this deprecated encryption system isn't somehow load-bearing

[Sigmanificient]

nixpkgs-review result

Generated using nixpkgs-review-gha

Command: nixpkgs-review pr 479934
Commit: a939c13d898c5b2fae1f2ca88de3a22f176e82a1 (subsequent changes)
Merge: 588d71b26c52a35594c6a88f208bbd9b59b91b8c

Logs: https://github.com/Sigmanificient/nixpkgs-review-gha/actions/runs/20987653774

---

x86_64-linux

⏩ 2 packages blacklisted:

• nixos-install-tools
• tests.nixos-functions.nixos-test

✅ 1 test built:

• nixosTests.simple

✅ 5 packages built:

• tests.devShellTools.nixos
• tests.testers.lycheeLinkCheck.network
• tests.testers.nixosTest-example
• tests.testers.runNixOSTest-example (tests.testers.runNixOSTest-extendNixOS)
• tests.trivial-builders.references

---

aarch64-linux

⏩ 2 packages blacklisted:

• nixos-install-tools
• tests.nixos-functions.nixos-test

❌ 6 packages failed to build:

• nixosTests.simple
• tests.devShellTools.nixos
• tests.testers.lycheeLinkCheck.network
• tests.testers.nixosTest-example
• tests.testers.runNixOSTest-example (tests.testers.runNixOSTest-extendNixOS)
• tests.trivial-builders.references

---

x86_64-darwin (sandbox = true)

❌ 2 packages failed to build:

• darwin.linux-builder (darwin.linux-builder-x86_64)
• nixosTests.simple

---

aarch64-darwin (sandbox = true)

❌ 3 packages failed to build:

• darwin.linux-builder
• darwin.linux-builder-x86_64
• nixosTests.simple

[Sigmanificient]

Oh no :<

[phanirithvij]

also lgtm, aarch64-linux nixostest failure seems weird, test timed out

You have to add EXTRA_NIX_CONFIG over at your repo's https://github.com/phanirithvij/nixpkgs-review-gha/settings/variables/actions with a value of system-features = nixos-test benchmark big-parallel kvm uid-range to fix the aarch64-linux issues

[obadz]

I'm the author of ecryptfs-helper & and I originally worked on the ecryptfs NixOS integration as I needed it to migrate to NixOS in 2015. I think this is a reasonable change. We're sadly not getting a clear message from upstream, but it seems kernel maintainers are talking about deprecating ecryptfs. I worry this might leave some users with unmountable homes but I guess the beauty of NixOS is it's easy to reboot on the previous OS version to recover your files and migrate them to fscrypt or whatever. Anyway, LGTM.

[doronbehar]

also lgtm, aarch64-linux nixostest failure seems weird, test timed out

You have to add EXTRA_NIX_CONFIG over at your repo's phanirithvij/nixpkgs-review-gha/settings/variables/actions with a value of system-features = nixos-test benchmark big-parallel kvm uid-range to fix the aarch64-linux issues

So this works now after you added it?

[phanirithvij]

Yes, see #479934 (comment)

[doronbehar]

I worry this might leave some users with unmountable homes but I guess the beauty of NixOS is it's easy to reboot on the previous OS version to recover your files and migrate them to fscrypt or whatever. Anyway, LGTM.

Also, the PR adds evaluation errors that should warn them prior to that state of unmountable homes.

[doronbehar]

@Sigmanificient please write a message here:

https://discourse.nixos.org/t/breaking-changes-announcement-for-unstable/17574/116

[doronbehar]

@Sigmanificient please add a link to this PR in the thread above 🙏 .

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/breaking-changes-announcement-for-unstable/17574/117

[obadz]

I'll include my "quick migration to fscrypt guide" here in case it helps someone:

1. Install fscrypt & pam_fscrypt (just pam.enableFscrypt = true; really)
2. It should have been already when you were using ecryptfs, but make sure your password in /etc/shadow is hashed with a strong algorithm like yescrypt or argonid2 with many rounds (loginDefs.settings.ENCRYPT_METHOD = "YESCRYPT"; loginDefs.settings.YESCRYPT_COST_FACTOR = "11"; and change your password. Need to check this actually works.)
3. sudo tune2fs -O encrypt /dev/...partition...
4. sudo fscrypt setup
5. sudo mkdir /home/$USER.future && sudo chown $USER:$USER /home/$USER.future && sudo chmod 700 /home/$USER.future
6. sudo fscrypt encrypt /home/$USER.future --user=$USER
7. Close any and all apps which could prevent files from being moved such as browsers etc.
8. shopt -s dotglob
9. mv -v /home/$USER/* /home/$USER.future # Reencrypts everything DESTRUCTIVELY.. Consider cp -av if you have the space
10. shopt -u dotglob # Undo 8..
11. Log off, log in as root, pkill -u $USER, mv -v /home/$USER /home/$USER.past && mv -v /home/$USER.future /home/$USER (make sure to replace $USER since you are now root)
12. Log back in, rm -rvf /home/$USER.past

Help the next person by commenting back here with any tweaks that you needed.

[Twey]

ecryptfs seems to be receiving active updates. There's some discussion about possibly beginning a slow deprecation procedure (starting with removing write support) in the future.

fscrypt isn't really a viable migration path for people using ecryptfs on unsupported or uncontrolled filesystems (e.g. remote cloud backups, which was always a primary target for ecryptfs). Maybe CryFS or gocryptfs, though performance seems to be worse and (since they aren't maintained in the kernel) I'd consider stability guarantees to be a little less reliable, which is always a bit scary for this sort of thing — nobody wants to find their backups unrecoverable in a few years.

[mayjs]

I'll include my "quick migration to fscrypt guide" here in case it helps someone:

1. Install fscrypt & pam_fscrypt (just `pam.enableFscrypt = true;` really)

2. It should have been already when you were using ecryptfs, but make sure your password in `/etc/shadow` is hashed with a strong algorithm like yescrypt or argonid2 with many rounds (`loginDefs.settings.ENCRYPT_METHOD = "YESCRYPT"; loginDefs.settings.YESCRYPT_COST_FACTOR = "11";` and change your password. Need to check this actually works.)

3. `sudo tune2fs -O encrypt /dev/...partition...`

4. `sudo fscrypt setup`

5. `sudo mkdir /home/$USER.future && sudo chown $USER:$USER /home/$USER.future && sudo chmod 700 /home/$USER.future`

6. `sudo fscrypt encrypt /home/$USER.future --user=$USER`

7. Close any and all apps which could prevent files from being moved such as browsers etc.

8. `shopt -s dotglob`

9. `mv -v /home/$USER/* /home/$USER.future # Reencrypts everything DESTRUCTIVELY.. Consider cp -av if you have the space`

10. `shopt -u dotglob  # Undo 8..`

11. Log off, log in as root, pkill -u $USER, `mv -v /home/$USER /home/$USER.past && mv -v /home/$USER.future /home/$USER` (make sure to replace `$USER` since you are now root)

12. Log back in, `rm -rvf /home/$USER.past`

Help the next person by commenting back here with any tweaks that you needed.

Just followed this procedure for my migration. Two notes:

1. I had to use rsync with the --remove-source-files option instead of mv. Apparently, mv only removes the files at the origin location once all files have been transferred.
2. In case you have any mountpoints in your homedirectory, make sure to unmount them first.

Apart from that, the procedure worked fine.