Comment 2 for bug 1024476

There's no race condition, just some crusty logic in the code.

1) pam_ecryptfs adds the fnek to the kernel keyring if the kernel supports filename encryption. The eCryptfs module need to be loaded to check for filename encryption support. If it can't be loaded (because appropriate privileges are not available, in this case), then the fnek is not added to the kernel keyring.

2) mount.ecryptfs_private constructs a ecryptfs_fnek_sig= mount option if the Private.sig file contains two sigs and the fnek is already loaded into the kernel keyring. The Private.sig file does contain two sigs in this case, but the fnek was not loaded by pam_ecryptfs so the mount is done without filename encryption enabled.

After talking with Dustin, we can drop the filename encryption kernel support check in pam_ecryptfs and always add the fnek to the kernel keyring nowadays. It has been years since the kernel didn't support filename encryption.