Can't lock folders encrypted with fscrypt

[nokia8801]

I have multiple folders encrypted with fscrypt in various directories. They have various files in them (images, videos, text). I open a file and close it with Ctrl+Q. Then I want to lock the folder with fscrypt lock test/, however it always fails. Doesn't matter which folder or which file.

[ERROR] fscrypt lock: Directory was incompletely locked because some files are still open. These files remain
                      accessible.

Try killing any processes using files in the directory, for example using:

     find "test/" -print0 | xargs -0 fuser -k

Then re-run:

     fscrypt lock "test/"

Running find "test/" -print0 | xargs -0 fuser -k as user I get:

Cannot stat file /proc/1025/fd/0: Permission denied
Cannot stat file /proc/1025/fd/1: Permission denied
Cannot stat file /proc/1025/fd/2: Permission denied
Cannot stat file /proc/1025/fd/3: Permission denied
Cannot stat file /proc/1025/fd/4: Permission denied
Cannot stat file /proc/1025/fd/5: Permission denied
Cannot stat file /proc/1025/fd/6: Permission denied
Cannot stat file /proc/1025/fd/7: Permission denied
Cannot stat file /proc/1025/fd/8: Permission denied
Cannot stat file /proc/1025/fd/9: Permission denied
...
Cannot stat file /proc/1025/fd/126: Permission denied

Running it as root I don't get the permission denied error. However, re-running fscrypt lock test/ still doesn't work. I make sure I close all files I open with Ctrl+Q. The thumbnails for the files are already generated. When it is "locked" in this state, I can see all the folder names and files, even the thumbnails, but I can't actually open or view any of them.

Error opening file. Required key not available.

This is what fscrypt status test/ says:

"test/" is encrypted with fscrypt.

Policy:   f307c445aef870630f1d56a6e272320c
Options:  padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2
Unlocked: Partially (incompletely locked)

Protected with 1 protector:
PROTECTOR         LINKED  DESCRIPTION
c140495356242008  No      custom protector "Test"

Arch Linux
linux 6.7.4.arch1-1
fscrypt version v0.3.4

When I reboot, the folders are properly locked and nothing inside is visible. But unlocking results in the same issue. Have to keep rebooting.

[ebiggers]

Does lsof show any open files in the directory?

Also, did you assign the same encryption policy to multiple directories, using fscrypt encrypt --policy=MOUNTPOINT:ID, or did you just use regular fscrypt encrypt?

[nokia8801]

lsof +D test/ doesn't show anything. Neither does lsof -x f +D test/. I know the lsof +D test/ command works cause when actually viewing a file, it reports correctly that only that file is open. When I quit viewing the file, the command returns nothing. If I just do lsof > test.txt I can see the same Cannot stat file /proc/1025/fd/0: Permission denied errors at the top of the file, but worded differently.

COMMAND     PID   TID TASKCMD    USER         FD  TYPE    DEVICE    SIZE/OFF  NODE NAME
systemd    1028                  nokia8801    0   unknown                     /proc/1028/fd/0 (readlink: Permission denied)
...

I just used regular fscrypt encrypt for all the test folders. They all have different policies (different hashes) with different passwords for custom protector.

Even unlocking and trying to lock after doing nothing, not opening files or even doing ls/cd into folder, doesn't work.

[ebiggers]

Can you check which file it is that is still in use? Try dmesg | grep "still busy after removing key", then find test/ -inum $inum, replacing $inum with the inode number from the end of the log message.

[nokia8801]

dmesg | grep "still busy after removing key"

[ 1242.720357] fscrypt: dm-0: 36 inode(s) still busy after removing key with identifier f307c445aef870630f1d56a6e272320c, including ino 483455
[ 1442.561889] fscrypt: dm-0: 36 inode(s) still busy after removing key with identifier f307c445aef870630f1d56a6e272320c, including ino 483455
[ 1998.322127] fscrypt: dm-0: 36 inode(s) still busy after removing key with identifier f307c445aef870630f1d56a6e272320c, including ino 483455
[ 2195.510761] fscrypt: dm-0: 38 inode(s) still busy after removing key with identifier f307c445aef870630f1d56a6e272320c, including ino 475592
[ 2507.639055] fscrypt: dm-0: 38 inode(s) still busy after removing key with identifier f307c445aef870630f1d56a6e272320c, including ino 475592

find test/ -inum 483455 and find test/ -inum 475592 shows two folders.

Edit: I have since tried the other fscrypt encrypted folders that I have and they lock properly, even though I can view, open and close the files as much as I want.

Now I created a new fscrypt encrypted folder (test3), created a text file with random words on it, viewed it and successfully locked it. Then I unlocked it and downloaded a wallpaper in it, viewed it and tried to lock it. Same issue. sudo dmesg | grep "still busy after removing key" shows [ 5221.166904] fscrypt: dm-0: 1 inode(s) still busy after removing key with identifier ec7e3c4a83a723035f77cbb6a36a686e, including ino 426085 and find test3/ -inum 426085 just shows test3/ and lsof +D test3/ shows nothing again.

[josephlr]

Hmmm this is very weird, I'm wondering if some process running as root is somehow holding onto a reference to one of the files. When you ran lsof was this done as root?

[nokia8801]

I did not run lsof as root. If I do I get:

lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
      Output information may be incomplete.
lsof: WARNING: can't stat() fuse.portal file system /run/user/1000/doc
      Output information may be incomplete.

So I'm trying to understand what could possibly be doing this. Here's what I've tried so far.

1. mkdir test5
2. fscrypt encrypt test5
3. fscrypt lock test5/ (successfully locked)
4. fscrypt unlock test5/; cd test5/; ls; cd ..; fscrypt lock test5/ (successfully locked)
5. fscrypt unlock test5/; cd test5/; echo "asd123" > text.txt; cd ..; fscrypt lock test5/ (successfully locked)
6. fscrypt unlock test5/; cd test5/; nano text.txt & gedit text.txt (quitting both nano and gedit)
7. cd ..; fscrypt lock test5/ (successfully locked)
8. fscrypt unlock test5/; cd test5/; wget "https://upload.wikimedia.org/wikipedia/commons/a/a5/Red_Kitten_01.jpg"; cd ..; fscrypt lock test5/ (successfully locked)
9. fscrypt unlock test5/; cd test5/; mpv Red_Kitten_01.jpg (quitting mpv)
10. cd ..; fscrypt lock test5/ (successfully locked)
11. fscrypt unlock test5/ and open the folder with GNOME Files (Thumbnail for Red_Kitten_01.jpg is generated) and fscrypt lock test5/ (successfully locked)
12. fscrypt unlock test5/ and open the folder again (thumbnail still visible), view the file with mpv again (double clicking) and fscrypt lock test5/ (successfully locked)
13. fscrypt unlock test5/, download an image using Firefox and the GNOME GTK file chooser save dialog, choose test5/ and save it, then fscrypt lock test5/ (failed to lock)

[ERROR] fscrypt lock: Directory was incompletely locked because some files are still open. These files remain
                      accessible.

Try killing any processes using files in the directory, for example using:

     find "test5/" -print0 | xargs -0 fuser -k

Then re-run:

     fscrypt lock "test5/"

That is just the new test folder I created. The main folder that I'm trying to lock, the reason I made this issue report is different. It immediately fails to lock after unlocking. Doesn't matter if I open it or not.

[ebiggers]

There has to be something that is holding a reference to one of the files. Technically, this doesn't necessarily mean that a file is "open" -- it could also be a process that has its current directory inside the directory or a kernel driver that has an internal reference to one of the files. I wonder what is different about case (13)? Maybe GNOME GVfs could be involved?

[nokia8801]

I deleted the two folders that was "still busy after removing key" with inum 475592 and 483455. I still can't lock it. Now it shows a completely different folder when I query with dmesg, inum 483458. When I did the original dmesg query, it did not show 483458 as "still busy after removing key", only showed the above two (475592 and 483455), now that I've deleted them it shows this folder. I feel like when I delete this folder too, it'll just choose another folder and it'll just keep going until there is nothing left, no folders or files. Maybe it won't be able to lock even then.

As I've demonstrated above, I don't think creating a brand new folder and encrypting that will help either. As eventually something will prevent it from locking too.

[lueckem]

After creating and encrypting a directory, I get the same error when trying to lock. Have you found a fix?

These are the commands I ran:

~ sudo fscrypt setup
Defaulting to policy_version 2 because kernel supports it.
Customizing passphrase hashing difficulty for this system...
Created global config file at "/etc/fscrypt.conf".
Allow users other than root to create fscrypt metadata on the root filesystem? (See
https://github.com/google/fscrypt#setting-up-fscrypt-on-a-filesystem) [y/N] y
Metadata directories created at "/.fscrypt", writable by everyone.
~ mkdir encrypted
~ fscrypt encrypt encrypted
The following protector sources are available:
1 - Your login passphrase (pam_passphrase)
2 - A custom passphrase (custom_passphrase)
3 - A raw 256-bit key (raw_key)
Enter the source number for the new protector [2 - custom_passphrase]: 2
Enter a name for the new protector: test
Enter custom passphrase for protector "test":
Confirm passphrase:
"encrypted" is now encrypted, unlocked, and ready for use.
~ echo "Hello" > encrypted/file.txt
~ cd encrypted
~/encrypted ls
.rw-r--r-- 6 2024-08-19 17:15 file.txt
~/encrypted cd ..
~ fscrypt lock encrypted
[ERROR] fscrypt lock: Directory was incompletely locked because some files are still open.

lsof and fuser both did not show any processes keeping the file open.

Some system info:
OS: Arch Linux x86_64
Kernel: 6.10.5-arch1-1
Shell: zsh 5.9
DE: Plasma 6.1.4
WM: kwin

[lueckem]

I think I found the culprit. I have file indexing for file search enabled in the KDE settings. After killing the associated process called baloo_file, fscrypt locks successfully.

I have not found any references mentioning that file indexing may interfere with fscrypt locking, so it does not seem to be a common issue.
Anyway, does someone know a fix?

[glumzzzer]

I'm no programmer but I found that once I restart the computer the files are locked. They just appear as a bunch of characters but this is only after I log in again.

[danielzgtg]

GNOME GTK file chooser save dialog

systemctl --user stop xdg-desktop-portal{-gnome,-gtk,}.service fixed fscrypt locking for me. The portals will restart when needed.

[T3sT3ro]

GNOME GTK file chooser save dialog

systemctl --user stop xdg-desktop-portal{-gnome,-gtk,}.service fixed fscrypt locking for me. The portals will restart when needed.

This helped temporarily, but it's a pain in the ass that this issue remains. I even had this problem with an empty vault(dir) today (or a vault I emptied after it didn't lock)? It is a pity that there is no way of telling what actually uses the directory/files in it.

Is there a way of telling?

[ebiggers]

That is what the fuser program is for.

But there are some edge cases in which it can miss processes.

[linas]

I hit this today. This alone was not enough:

systemctl --user stop xdg-desktop-portal-gtk.service

I tried it three times. (I don't have the -gnome.service variant) The fourth time:

systemctl --user status xdg-desktop-portal-gtk.service 

and that cleared enough state to actually get it to lock.

FWIW, the assorted fuser, lsof and dmesg greps came up empty. The only vaguely strange thing was lsof +D foo replied:

lsof: WARNING: can't stat() tmpfs file system /var/lib/...
      Output information may be incomplete.

but the directory in /var/lib had nothing to do with what's being encrypted.