Wednesday, August 6, 2008

Encrypted Private Directories in Ubuntu Intrepid

From the Ubuntu Server Team...

Do you have sensitive data on your computer? Perhaps a file containing all of your passwords? Financial spreadsheets or GPG/SSH keys? Are you concerned about someone reading these files should your PC or laptop be stolen?

In Ubuntu's Intrepid Ibex development cycle, the Ubuntu Server Team is implementing support for an encrypted private directory in each user's home.

Getting Started

Install the 'ecryptfs-utils' package:

sudo apt-get install ecryptfs-utils

Run ecryptfs-setup-private as your non-root user:

ecryptfs-setup-private

After that, it's a matter of logging in/out, and reading/writing data in ~/Private. Personally, I have moved my ~/.ssh, ~/.gnupg, and ~/.mozilla directories into ~/Private, and symlinked them to their traditional locations.

  • Do NOT move your ~/.ecryptfs directory in ~/Private!!!

How does it work?

The underlying technology is a cryptographic virtual filesystem in the Linux kernel called eCryptfs, authored by Michael Halcrow of IBM.

When a user logs into an Ubuntu Intrepid system, their login passphrase is automatically used to decrypt a randomly generated mount passphrase. This mount passphrase will then cryptographically mount ~/.Private onto ~/Private. As long as ~/Private is mounted, the user can read and write sensitive data to files and directories under the virtual filesystem on ~/Private. The actual files stored in the underlying filesystem are encrypted, and located in ~/.Private. The only passphrase required is obtained when logging in (via console, ssh, gdm, etc). And the only files encrypted are those that the user consciously places in ~/Private. The user can then incrementally backup the encrypted ~/.Private directory to off-site storage.

A more complete discussion of the design details are available as a specification in the wiki:

Testers wanted!

Most of the integration of Encrypted Private Directories has been completed in Intrepid, and now we're looking for some proactive Ubuntu users to test this functionality before the legions of Ubuntu users begin trusting this technology with their personal data. With your help, hopefully we can shake out any remaining functionality or usability issues.

Please follow the complete, step-by-step, up-to-date instructions in the wiki:

And file relevant bugs in Launchpad against ecryptfs-utils:

:-Dustin

No comments:

Post a Comment

Please do not use blog comments for support requests! Blog comments do not scale well to this effect.

Instead, please use Launchpad for Bugs and StackExchange for Questions.
* bugs.launchpad.net
* stackexchange.com

Thanks,
:-Dustin