From the Canyon Edge -- :-Dustin

Friday, February 27, 2009

Jaunty Encrypted Home Directories

So this post isn't exactly "hot off the press". It's about a month late. But better late than never... Two big announcements on the Ubuntu eCryptfs front:
  • Ubuntu now supports per-user encrypted home directories
  • Filenames are now encrypted too
I have been trusting eCryptfs with my entire home directory since December, and things have been working well.

Here are some simple instructions...

Server/Alternate Installer

It's easy to setup from the server/alternate installer:

LiveCD Desktop Installer

The desktop installation is only slightly more complex. Boot the LiveCD installer, and preseed a special value:
  • Select your language
  • Press F6
  • Then ESC
  • Add "user-setup/encrypt-home=true" just before the "--".

You will see a new option on the user-details page of the installer:

Post-installation, on a Running System

If you have a running Jaunty system, and you want to add another user, you can easily add a new user and have their home directory encrypted, with:

$ sudo adduser --encrypt-home foo_user

Important Caveats!

  1. You really must record your randomly generated mount passphrase after the installation. This is easy to do with:
    $ ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
  2. Swap space. Decrypted copies of your files could easy leak to your swap space. I strongly recommended that either:
    • You do not use swap (I have 4GB memory and don't really need it)
    • Or your encrypt your swap with:
      $ sudo ecryptfs-setup-swap
    In either case, however, you will not be able to hibernate your system (but suspend will continue to work just fine). It is for this reason that the option is hidden in the default installation. We're trying to fix the swap issues for Karmic.
  3. Auto-login and encrypted-home are simply incompatible. You must enter a password to decrypt your home directory, so automatic login is not possible. However, if you want to automatically login to your desktop, you can actually use the encrypted-private feature, and store a subset of your data in ~/Private. After installation, you can configure this with:
    $ ecryptfs-setup-private
Migration of Existing Data to an Encrypted Home Directory

We won't be able to provide an automated mechanism for live migration of data into your encrypted home directory in time for Jaunty. (Sorry, more pressing Ubuntu Server work took precedence...) I will provide some step-by-step instructions (and maybe a script?) here in my blog--stay tuned!