mount ecryptfs add boot time via init.d script

Question

I have a directory .cipher which is a mount point to an external storage. Now I want to mount this directory to a directory plain at boot time. A running service must access the data without a user logon. I did the following steps:

ecryptfs-add-passphrase --fnek
Passphrase: <pass>
Inserted auth tok with sig [<key1>] into the user session keyring
Inserted auth tok with sig [<key2>] into the user session keyring

/etc/fstab looks like:

 /cipher /plain ecryptfs noauto,user,rw,ecryptfs_cipher=aes,ecryptfs_fnek_sig=<key2>,ecryptfs_sig=<key1>,ecryptfs_key_bytes=24 0 0

If I execute in my /etc/init.d/myService or via console

mount -i /plain

I get the following lines in the syslog:

Oct 25 22:10:16 host kernel: [82852.145162] Could not find key with description: [<key1>]
Oct 25 22:10:16 host kernel: [82852.148914] process_request_key_err: No key
Oct 25 22:10:16 host kernel: [82852.148917] Could not find valid key in user session keyring for sig specified in mount option: [<key1>]
Oct 25 22:10:16 host kernel: [82852.156442] One or more global auth toks could not properly register; rc = [-2]
Oct 25 22:10:16 host kernel: [82852.156446] Error parsing options; rc = [-2]

How can I mount the ecryptfs at boot time?

Answer 1

:), what is the point in disk encryption that requires no authentication?

what you could do (I've set this up before...), is use a security card eg yubikey4 alongside luks (it supports up to 5 security key slots, so one can have a security key, another can have a password).

The passwords are used to unlock the shared key, which in turn is used to encrypt / decrypt data...

I've not set this up on ecryptfs (only luks) but i think i remember seeing an article.

If I've misunderstood your question I apologize...