tag:blogger.com,1999:blog-3822757291061444396.post7390795575986049579..comments2024-02-27T03:14:00.412-06:00Comments on From the Canyon Edge: Encrypted $HOME Now Offerred at InstallationDustin Kirklandhttp://www.blogger.com/profile/12464590128908584782noreply@blogger.comBlogger61125tag:blogger.com,1999:blog-3822757291061444396.post-60710658445899212882010-06-15T06:04:07.771-05:002010-06-15T06:04:07.771-05:00I too am interested in sync'ing my .Private di...I too am interested in sync'ing my .Private directory to the cloud. Is it safe to write to the .Private directory while it's mounted?<br /><br />I did some quick experiments: with a file from the Private directory open in emacs, I deleted the corresponding file in .Private and things didn't work too well after that.<br /><br />Wouldn't syncing the .Private directory to Ubuntu One potentially do what I did in my experiments?dBnoreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-89751186059552765062009-11-11T13:00:35.680-06:002009-11-11T13:00:35.680-06:00I'm considering syncing the private files to U...I'm considering syncing the private files to Ubuntu One, as you are doing. Do I have to log out to get the ecrypt fs to sync my data to the ecrypted store? Can I do that manually? (I normally leave this machine logged in for weeks at a time). Thanks, cheers, Wwaynemclhttps://www.blogger.com/profile/07117630772480868576noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-77641621563834813712009-11-09T11:31:37.167-06:002009-11-09T11:31:37.167-06:00@Dustin
You said
"
In terms of suspend/hibe...@Dustin<br /><br />You said <br />"<br />In terms of suspend/hibernate, as long as you require a passphrase to log back into your system on resume, your data is secure, even though mounted. How else is someone going to access your data? I'm interested to know...<br />"<br /><br />Suppose your system is hibernating. That mean the full state of the machine is sleeping on disk (full copy of the ram). Including the current crypt/decrypt key.<br /><br />I do not want to explain here use how to use this fact but it is clear that crypto-security is broken.<br /><br />For suspend case it may be more complex, but feasible as well. One best idee may be to find a mean to go from suspend to hibernate. <br /><br />Another method would be (for example if disk is a sata disk) to access to the sata socket (the pc still suspended), plug out the disk, plug it to another PC (sata is hot pluggable) and insert some backdoor. Then plug it back.Tatoutehttps://www.blogger.com/profile/01716974692343137771noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-23163589880962685912009-10-27T13:54:00.146-05:002009-10-27T13:54:00.146-05:00Hi Dustin,
thanks for the swift reply. Ok, so an ...Hi Dustin,<br /><br />thanks for the swift reply. Ok, so an already existent home isn't encrypted automatically. <br /><br />Thanks for the link - I'll try (fortunately there's already a hint for using rsync with an encrypted home in the comments)<br /><br />ThomasAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-39280759316039738752009-10-27T13:17:47.186-05:002009-10-27T13:17:47.186-05:00Thomas-
If you can read your home directory conte...Thomas-<br /><br />If you can read your home directory contents from a LiveCD without entering a password, then yes, you missed a step. Your home directory is not encrypted.<br /><br />You should be able to just uncomment that line again in your fstab (and remove any other non-encrypted swaps you might have) to re-enable encrypted swap.<br /><br />As for migrating your non-encrypted $HOME to an encrypted $HOME, you certainly can do this by following the steps at:<br /> * http://blog.dustinkirkland.com/2009/06/migrating-to-encrypted-home-directory.html<br /><br />:-DustinDustin Kirklandhttps://www.blogger.com/profile/12464590128908584782noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-23509943106593956742009-10-27T12:47:23.953-05:002009-10-27T12:47:23.953-05:00Just found this great blog. Thanks for it.
I stil...Just found this great blog. Thanks for it.<br /><br />I still have some questions. I'm using Linux for some years now (mainly Arch Linux) but never dived into the world of encryption.<br /><br />On my Netbook I recently installed Ubuntu 9.10. by just wiping my / and leaving /home as it is.<br /><br />I was interested in the encryption thing so I marked the appropriate option during installation.<br /><br />First, I didn't know about encrypted swap and hibernation so I changed my fstab back to a "normal" swap. I only commented the encrpyption line so can I undo this by just uncomment it?<br /><br />I'm also not sure if my /home is encrypted although I marked this option. Booting from a Live USBDrive allows me to read my home using nautilus as root.<br /><br />Did I miss a step or is encrpytion only possible with fresh /home?<br /><br />Thanks in advance!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-75024547710241838552009-10-16T02:51:40.833-05:002009-10-16T02:51:40.833-05:00@jajaja
I wish you were right. But all the docum...@jajaja<br /><br />I wish you were right. But all the documentation says is that it should work, as long as other applications stack on top of it. I couldn't find an Ext2/3 file manager that supports LVM and recognizes volumes decrypted by freeotfe. I couldn't find references to anyone who succeeded doing this either. This was about 4 months ago.Unknownhttps://www.blogger.com/profile/07914898133564573672noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-36256722841052940182009-10-15T16:56:16.944-05:002009-10-15T16:56:16.944-05:00how do you turn off home drive encryption??how do you turn off home drive encryption??Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-29017045759032607262009-10-15T07:04:29.179-05:002009-10-15T07:04:29.179-05:00Quote: At the moment, I think the major downside t...Quote: At the moment, I think the major downside to eCryptFS is its lack of Windows drivers. You can't access your files from Windows. But neither can you with Luks+LVM :-(<br /><br />I think that's not correct:<br />http://www.freeotfe.org supposedly supports LUKS and LVM, see http://www.freeotfe.org/downloads/FreeOTFE_PC5_10_PDA5_10.pdf on Page 99.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-26795321987603999872009-10-15T06:30:44.411-05:002009-10-15T06:30:44.411-05:00Mikko,
I find your complain very misleading to pe...Mikko,<br /><br />I find your complain very misleading to people reading this blog. You should mention what has been tested there! If you read the hardware tested, it was a Dell netbook with an Intel Atom N270 CPU.<br /><br />What do you expect? It's an Atom CPU for God's sake! Test on a Core 2 duo to have a more representative benchmark.<br /><br />I'd like to see how this Netbook performs with Windows 7 Ultimate and bitlocker, or full disk encryption. Probably not that well either. The full-disk encryption test made a year earlier by the same people was on AMD Athlon 64 X2 4200+ AM2. So we are comparing apples and oranges.<br /><br />I have tested the latest Karmic Beta with home encryption on my Core2 duo and I'm very happy with the performance. I have also tried with full-disk encryption and with encrypted home I perceive a faster booting.<br /><br />So please instead of saying "Also the encrypted home has serious performance issues"<br /><br />better say "encrypted home is not really suitable for netbooks or low-end CPUs".<br /><br />Dustin, what about this? I have an idea:<br />Before offering the menu with installation options, run a quick CPU benchmark. If the test detects a slow CPU and the user selects home encryption, issue a warning that it might be too slow. If the CPU test is really discouraging, disable the option altogether or suggest Private folder instead.<br /><br />After all, most people use netbooks for browsing, where encryption should have a minimal effect. Who would run an SQL server on a netbook? And if you are afraid of performance loss, just have the Private directory separated from your home.<br /><br />I really don't see a problem with the current implementation. All the contrary, we have one more option to the set<br /><br />- No encryption<br />- Home encryption<br />- Private directory<br />- Full disk encryption<br /><br />By the way, is the Private directory gone or offered by the alternate install CD? I'd keep it as an option for advanced users.<br /><br />The only thing missing is a container-based home encryption with dynamic size, just like MacOS X. A fixed size container based, like Opensuse, is in my opinion not that good.<br /><br />At the moment, I think the major downside to eCryptFS is its lack of Windows drivers. You can't access your files from Windows. But neither can you with Luks+LVM :-(Unknownhttps://www.blogger.com/profile/07914898133564573672noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-10020471027079000952009-10-10T18:36:16.632-05:002009-10-10T18:36:16.632-05:00The installer is clearing the swap space, which is...The installer is clearing the swap space, which is absolutely necessary to secure your setup.<br /><br />:-DustinDustin Kirklandhttps://www.blogger.com/profile/12464590128908584782noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-57632827931551087922009-10-10T15:35:08.826-05:002009-10-10T15:35:08.826-05:00There is very nasty installer user experience bug ...There is very nasty installer user experience bug related to encrypted home - indicator hangs for several dozens of minutes:<br /><br />https://bugs.launchpad.net/ubuntu/+source/user-setup/+bug/432422<br /><br />Also the encrypted home has serious performance issues:<br /><br />http://www.phoronix.com/scan.php?page=article&item=ubuntu_910_encryption&num=3<br /><br />I opened a "tuning thread" related to tuning the performance at ubuntuforums.org:<br /><br />http://ubuntuforums.org/showthread.php?p=8084140#post8084140Mikko Ohtamaahttps://www.blogger.com/profile/14094668976260425816noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-13498050688075854262009-10-08T02:42:13.883-05:002009-10-08T02:42:13.883-05:00After reading all the answers and questions from t...After reading all the answers and questions from the people here has answered *all* my concerns.<br /><br />You should really put them in a FAQ, because your detailed explanations are gold. Sorry to be somehow off topic. But I wanted to thank you Dustin for your contribution.Unknownhttps://www.blogger.com/profile/07914898133564573672noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-13726899784299402062009-09-26T07:42:27.072-05:002009-09-26T07:42:27.072-05:00Thanks Dustin that did the trick.Thanks Dustin that did the trick.Unknownhttps://www.blogger.com/profile/07391057879100115646noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-14978263865246773882009-09-25T11:05:25.115-05:002009-09-25T11:05:25.115-05:00Felix-
Right, so if you've recorded your long...Felix-<br /><br />Right, so if you've recorded your long, random passphrase, you should be able to just run 'ecryptfs-wrap-passphrase' and store that in $HOME/.ecryptfs/wrapped-passphrase. That should get you going ;-)<br /><br />:-DustinDustin Kirklandhttps://www.blogger.com/profile/12464590128908584782noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-50592216573840027632009-09-25T03:55:20.171-05:002009-09-25T03:55:20.171-05:00Hi Dustin,
First of all sorry for mixin your name...Hi Dustin,<br /><br />First of all sorry for mixin your name up. Well I tried ecryptfs-rewrap-passphrase and the command was successfull.<br /><br />But I still cannot mount my home dir. When I do ecryptfs-unwrap-passphrase it still shows "my login password" as my passphrase instead of the "987324072749032075" which I recorded as my mount passphrase after installation. (Or am I getting something wrong here?)<br /><br />I guess everything should be fine if I get my recorded passphrase back in there.<br /><br />How can I achieve that?<br /><br />Thanks<br /><br /><br />FelixUnknownhttps://www.blogger.com/profile/07391057879100115646noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-35984091644926664082009-09-24T10:29:39.040-05:002009-09-24T10:29:39.040-05:00You can fix your setup with ecryptfs-rewrap-passph...You can fix your setup with ecryptfs-rewrap-passphrase.<br /><br />You should really use either passwd from the command line, or System->Preferences->About_Me to change your password.<br /><br />I think Kees *just* fixed the bug you mentioned.<br /><br />:-DustinDustin Kirklandhttps://www.blogger.com/profile/12464590128908584782noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-399183477328556672009-09-24T04:15:16.358-05:002009-09-24T04:15:16.358-05:00Hi Kirk,
I'm using Karmic with encrypted home...Hi Kirk,<br /><br />I'm using Karmic with encrypted home directory. So I wasn't able to see my desktop after I had changed my login password (Through Users and Groups).<br /><br />I tried getting it to work with the the "ecryptfs-wrap-passphrase ~/.ecryptfs/wrapped-passphrase" command. This also didn't work. I tried many things, but to make a long story short...<br /><br />Looks like I messed up my unwrapped Mount Passphrase, since when I unwrap it now it shows my current password instead of the initial phrase (that I also backed up after installation)<br /><br />Now my question: Is it possible change the unwrapped mount phrase back to what it was using my backup? What command would I use for that?Unknownhttps://www.blogger.com/profile/07391057879100115646noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-92061686466228352852009-09-13T14:17:29.843-05:002009-09-13T14:17:29.843-05:00Justin, how about to further discuss about a perfe...Justin, how about to further discuss about a perfect partitioning scheme in Karmic? Maybe covering topics like LVM, encryption, separating personal data etc.<br /><br />It will be great to have it as a guide to the next upcoming release.<br /><br />Best,<br /><br />Igor GomesUnknownhttps://www.blogger.com/profile/04969596206005660227noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-26603148887899774052009-09-12T12:09:33.659-05:002009-09-12T12:09:33.659-05:00I don't have ubuntu one yet, so sorry if it...I don't have ubuntu one yet, so sorry if it's a dumb question: Isn't the Ubuntu one folder within the home folder? If so, would the default behavior be that the data remains encrypted when uploaded by ubuntu one if I have my whole home folder set to be encrypted?dillhttps://www.blogger.com/profile/10657762508828162943noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-90074165430646233012009-09-12T11:25:03.991-05:002009-09-12T11:25:03.991-05:00Dill-
Only if you upload the encrypted version of...Dill-<br /><br />Only if you upload the encrypted version of the file.<br /><br />Personally, that's what I do. I sync my $HOME/.Private directory to Ubuntu One, such that my privacy is preserved there. There are a few drawbacks, though. If you use the web interface to browse your files in Ubuntu One, you only see encrypted filenames and data. That's okay by me, though. I don't use the web interface that much.<br /><br />:-DustinDustin Kirklandhttps://www.blogger.com/profile/12464590128908584782noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-2905117996153585792009-09-12T10:34:27.511-05:002009-09-12T10:34:27.511-05:00If I encrpyt my home folder does that mean all the...If I encrpyt my home folder does that mean all the files are still encrypted when they are uploaded if I'm using Ubuntu One?dillhttps://www.blogger.com/profile/10657762508828162943noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-52337323194893747282009-09-10T12:04:53.081-05:002009-09-10T12:04:53.081-05:00Surfin-
Thanks. Link fixed.
:-DustinSurfin-<br /><br />Thanks. Link fixed.<br /><br />:-DustinDustin Kirklandhttps://www.blogger.com/profile/12464590128908584782noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-16838767950687719552009-09-10T10:29:01.657-05:002009-09-10T10:29:01.657-05:00Dustin, I clicked on the link to your changelog an...Dustin, I clicked on the link to your changelog and it says the page cannot be found.Unknownhttps://www.blogger.com/profile/00031410596856465938noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-53356597453296783462009-09-10T09:28:58.756-05:002009-09-10T09:28:58.756-05:00will do. sorry that you feel offended.will do. sorry that you feel offended.FLhttps://www.blogger.com/profile/12954888851039657155noreply@blogger.com