Skip to content

Password on automount of encrypted devices should be re-asked if it is wrong

If an empty or wrong password is entered after automounting an encrypted device, then the password will not be re-asked as expected. Instead, only an error message is written to the journal.

The reason is that the AutomountManager._reaskPassword method is never called, because for the cases of empty or wrong passwords the returned error messages doesn't match the one (No key available with this passphrase) from the appropriate if query in the AutomountManager._onVolumeMounted method.

I got this messages in case of

no/empty password:

gnome-shell[15005]: Unable to mount volume 2,0 GB encrypted: Gio.IOErrorEnum: No key available to unlock device /dev/sdc1

wrong password:

gnome-shell[15005]: Unable to mount volume 2,0 GB encrypted: Gio.IOErrorEnum: Error unlocking /dev/sdc1: Failed to activate device: Operation not permitted

Unfortunately there is no special IOErrorEnum for these problems and the returned error messages are not very descriptive. However, after adding these error strings to the if statement in AutomountManager._onVolumeMounted as shown below, the password will be re-asked in both cases as expected.

_onVolumeMounted(volume, res) {
    this._allowAutorunExpire(volume);

    try {
        volume.mount_finish(res);
        this._closeOperation(volume);
    } catch (e) {
        // FIXME: we will always get G_IO_ERROR_FAILED from the gvfs udisks
        // backend in this case, see 
        // https://bugs.freedesktop.org/show_bug.cgi?id=51271
        if (e.message.indexOf('No key available with this passphrase') != -1 || // cryptsetup
            e.message.indexOf('No key available to unlock device') != -1 ||     // Udisks (no password)
            e.message.indexOf('Error unlocking') != -1 ) {                      // Udisks (wrong password)
            this._reaskPassword(volume);
        } else {
            if (!e.matches(Gio.IOErrorEnum, Gio.IOErrorEnum.FAILED_HANDLED))
                log('Unable to mount volume ' + volume.get_name() + ': ' + e.toString());

            this._closeOperation(volume);
        }
    }
},

I don't know if these message strings are unique enough to password errors in this context. In the worst case the (correctly entered) password might be re-asked again and again e.g. if there is a problem with permissions.

Tested with gnome-shell 3.30.1 (in gnome-shell 3.30.0 there was a problem with the automount password dialog not responding to the cancel and unlock buttons)

Edited by Sebastian Pinnau