** Summary changed:
- Updating snap applications is impossible if the home directory is encrypted
using fscrypt via systemd-homed
+ snapd refresh fails on fscrypt / systemd-homed encrypted home directories
(Required key not available)
** Description changed:
+ UPDATE 2026-06-19
+
+ Updating snap applications is impossible if the home directory is
+ encrypted using fscrypt via systemd-homed
+
+ === Issue Summary ===
+ When performing "sudo snap refresh" on systems where the user's home
directory is encrypted using fscrypt (specifically via systemd-homed), the
refresh fails during the data copying phase.
+
+ === Environment ===
+ - OS: Kubuntu / Ubuntu 26.04
+ - snapd version: 2.75.2
+ - Kernel: 7.0.0-14-generic
+ - Home directory encryption: fscrypt managed by systemd-homed
+
+ === Steps to Reproduce ===
+ 1. Configure a user account (e.g., testuser2) with an encrypted home folder
using systemd-homed with fscrypt storage.
+ 2. Install a snap that has user data in ~/snap and has a pending update
available (e.g., firefox from revision 8107 to 8504).
+ 3. Execute: sudo snap refresh
+
+ === Actual Behavior ===
+ The snap refresh fails with the following task error:
+ "Copy snap 'firefox' data (cannot copy '/home/testuser2/snap/firefox/8107' to
'/home/testuser2/snap/firefox/8504': failed to copy all: "cp: cannot create
directory '/home/testuser2/snap/firefox/8504': Required key not available" (1))"
+
+ === Root Cause Analysis ===
+ - When the user logs in, PAM (via systemd-homed) unlocks the
fscrypt-encrypted directory and loads the decryption key into the user's
keyring (@u).
+ - The `snapd` daemon, which runs as a system service under the `root` user,
operates in a different systemd service context and does not inherit or have
access to the logged-in user's keyring.
+ - When `snapd` attempts to copy user data and create the new revision
directory (8504) inside the encrypted parent directory
(/home/testuser2/snap/firefox/), the Linux kernel denies the directory creation
with ENOKEY ("Required key not available") because the decryption key is
missing from the daemon's keyring context.
+
+ === Suggested Workaround (used by the user) ===
+ Currently, the only way to bypass this is to manually move the ~/snap folder
to an unencrypted location (e.g. outside the encrypted home), symlink it back,
perform the refresh, and then move it back to restore encryption.
+
+
+
================================================================================
### Developer Support
Dear developers, I would highly appreciate it if you would be willing to fix
this bug as well, and if it could be a high enough priority for you.
### Rational Computer Configuration
This kind of personal computer configuration is not some super exotic thing.
It is not an overly exotic setup. On the contrary, in my opinion, it is the
most rational configuration possible.
### Advantages of fscrypt Encryption
This is because fscrypt encryption on Linux is the only form of encryption
that operates at the filesystem level, which makes it the most efficient
compared to all other types of encryption, including LUKS2 encryption.
Furthermore, the reason I actually chose fscrypt encryption via systemd-
homed is that it also supports screen unlocking and simultaneous login
using fingerprint FIDO2 hardware security key. Therefore, fscrypt
encryption is less hardware-intensive and essentially more efficient
than LUKS2.
### Comparison with Other Methods and systemd-homed Issues
What is important to state and bring to your attention is that when I use
fscrypt encryption following the official Google documentation—meaning without
using systemd-homed—and use a program called fscrypt, which is a manager (it
isn't part of the Linux kernel itself, but rather manages encryption at the
Linux kernel level), this exact program does not experience these same issues
when used for encryption. In that case, the update of those snap packages
always completes without any problems.
Conversely, with systemd-homed, which is supposedly meant to be a
better, more advanced system, it actually causes far more problems, and
I have to use a workaround to update snap packages.
### Analysis of the Update Problem
Artificial intelligence explained this bug to me as something where, for some
reason, the snapd system runs or operates as root, and this root user, for some
reason, does not have access to the home directory—which is why the application
updates do not complete successfully.
Furthermore, the AI suggested an interesting script to use for updating
those snap applications, and when using it, the updates actually do
complete successfully.
===================================
SNAP PACKAGE UPDATE FOR FSCRYPT AND SYSTEMD-HOMED COMBINATION EMERGENCY
TEMPORARY MAKESHIFT REPAIR
clear; echo "=== Starting safe update for encrypted home ==="; \
if [ -d "$HOME/snap" ] && [ ! -L "$HOME/snap" ]; then \
if sudo mv "$HOME/snap" "/home/$USER-snap-temp"; then \
ln -s "/home/$USER-snap-temp" "$HOME/snap"; \
echo "-> Folder moved, starting update..."; \
sudo snap refresh; \
REFRESH_STATUS=$?; \
echo "-> Cleaning up symlink..."; \
rm "$HOME/snap"; \
echo "-> Moving folder back to encrypted zone..."; \
sudo mv "/home/$USER-snap-temp" "$HOME/snap"; \
sudo chown -R "$USER:$USER" "$HOME/snap"; \
if [ $REFRESH_STATUS -eq 0 ]; then \
echo "=== COMPLETED SUCCESSFULLY ==="; \
echo "Applications were successfully updated and re-encrypted."; \
else \
echo "=== WARNING ==="; \
echo "The update itself failed (e.g., network error), but the
data was safely restored."; \
fi; \
else \
echo "Error: Failed to move the snap folder."; \
fi; \
else \
echo "Error: The folder $HOME/snap does not exist or is already a
symlink. Script aborted."; \
fi
======================================================================
### Possible Connection to Other Bugs
Additionally, I believe this bug might be related to an already existing bug
involving AppArmor.
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/2150642
Therefore, I would like to ask you to investigate whether there is a
connection or not, and whether these two bugs are somehow related.
-
================================================================================
ProblemType: Bug
DistroRelease: Ubuntu 26.04
Package: snapd 2.75.2+ubuntu26.04.2
ProcVersionSignature: Ubuntu 7.0.0-22.22-generic 7.0.0
Uname: Linux 7.0.0-22-generic x86_64
ApportVersion: 2.34.0-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: KDE
Date: Tue Jun 16 23:51:08 2026
InstallationDate: Installed on 2026-04-28 (49 days ago)
InstallationMedia: Kubuntu 26.04 "Resolute Raccoon" - Release amd64 (20260423)
SnapChanges: no changes found
SourcePackage: snapd
UpgradeStatus: No upgrade log present (probably fresh install)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2156939
Title:
snapd refresh fails on fscrypt / systemd-homed encrypted home
directories (Required key not available)
To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/2156939/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
