From 28e4999ebd9221a71488d715d9f1182b494216d8 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Mon, 8 Mar 2021 15:20:08 -0800 Subject: pam_fscrypt: decide cache dropping behavior automatically Configuring whether pam_fscrypt drops caches or not isn't really something the user should have to do, and it's also irrelevant for v2 encryption policies (the default on newer systems). It's better to have pam_fscrypt automatically decide whether it needs to drop caches or not. Do this by making pam_fscrypt check whether any encryption policy keys are being removed from a user keyring (rather than from a filesystem keyring). If so, it drops caches; otherwise it doesn't. This supersedes the "drop_caches" option, which won't do anything anymore. --- README.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index 73153ed..4a59535 100644 --- a/README.md +++ b/README.md @@ -415,15 +415,12 @@ auth optional pam_fscrypt.so after `pam_unix.so` in `/etc/pam.d/common-auth` or similar, and to add the line: ``` -session optional pam_fscrypt.so drop_caches lock_policies +session optional pam_fscrypt.so lock_policies ``` after `pam_unix.so` in `/etc/pam.d/common-session` or similar. The `lock_policies` option locks the directories protected with the user's login -passphrase when the last session ends. The `drop_caches` option tells `fscrypt` -to clear the filesystem caches when the last session closes, ensuring all the -locked data is inaccessible; this only needed for v1 encryption policies. All -the types also support the `debug` option which prints additional debug -information to the syslog. +passphrase when the last session ends. All the types also support the `debug` +option which prints additional debug information to the syslog. ### Allowing `fscrypt` to check your login passphrase -- cgit v1.2.3