From the Canyon Edge -- :-Dustin

Tuesday, December 2, 2008

Ubuntu Jaunty: Encrypted Home Directories (Beta Available!)

One of the biggest features (in my not-so-objective opinion) of Ubuntu Jaunty Jackalope is rapidly coming together...

Encrypted home directories!

I have two packages available for beta testing in my PPA:
  • adduser
  • ecryptfs-utils
To test this functionality on a Jaunty system, install these two packages and then, as the root user, create a "foo" user with an encrypted home:
  • adduser --encrypt-home foo
This will create the user, generate a mount passphrase, copy the /etc/skel default data into a mounted/encrypted home directory, take the new user password, wrap the mount passphrase, and then unmount the home directory. Subsequent logins by the "foo" user will mount the home directory accordingly.

I've tested this pretty thoroughly with both command-line, server logins, as well as graphical desktop logins. It's working really well, and I'm quite excited about it! This is going to be far easier and more secure than moving bits and pieces of data in ~/Private, and manually symlinking files and directories around.

Caveats...
  • Encrypted filenames have landed in the upstream Linux -mm kernel; but they're not in the Ubuntu Jaunty kernel yet. I think they should make in time for the Jaunty release.
  • Migrating an existing, non-encrypted home directory to an encrypted one is not something that we can do automatically--there's quite simply too much that can go wrong. I will, however, provide a wiki page describing how to do it as the root user, in a recovery shell. Basically, bad things can happen if any other processes running as the user try to read or write data in their home directory during the migration.
Next Steps...

I've released the code necessary to setup the encrypted home directory in ecryptfs-utils-67. As soon as Debian pulls that release into unstable, I'll merge it into Jaunty (and then you can skip the PPA step).

After that, I hope to add "Encrypt Home" as an option to both the graphical and server installers, when creating the administrator user. We should be able to do this in the Server Installer easily by Alpha-2, and the Desktop Installer by Alpha-3.

Also, we need to modify the graphical "User Settings" program as provided in system-tools-backends to support the --encrypt-home option.

Miscellaneous

Separate, but related to this work item are two other blueprints for Jaunty:
:-Dustin