Thursday, October 22, 2009

Linux Magazine: Ubuntu Encrypted Home

Back in April, Linux Magazine ran what I considered to be an inaccurate account of the OS-level security provided by our Ubuntu Distribution. Your Distro is Insecure: Ubuntu.

Frustrated with the piece, I blogged this in return: Your Article is Incorrect: Linux Magazine.

Following that post, I had a very constructive, private email conversation with Linux Magazine editor, Bryan Richard. We discussed a number of different ways that Canonical/Ubuntu might be able to respond to their previous article, which caused quite a stir on Ubuntu's public mailing lists.

I'm very pleased with Bryan's response. He invited me to author an article focusing on the security features that are available in Ubuntu. The result was published earlier today, focusing on Ubuntu's Encrypted Home Directory feature, which is rather unique among Linux distributions: Ubuntu's Encrypted Home Directory: A Canonical Approach to Data Privacy


Enjoy!
:-Dustin

5 comments:

  1. Hi,

    great article. But the thing with the encrypted backup I don't understand. If I make a backup with my normal user the data is stored non-encrypted. Only as super user or special backup user it is encrypted. Right?


    Steffen

    ReplyDelete
  2. Steffen:

    Uhm not exactly. Once you are logged in you can backup both the encrypted and unencrypted versions of files depending on which location in the filesystem you read from. Page 3 of the article covers this.

    The traditional unencrypted home directory for user "foo" doesn't exist until foo logins and eCryptfs is used to make the home directory mount point. But the encrypted version of the files can always be backed up..even by user "foo" who owns the files.

    -jef

    ReplyDelete
  3. Hi Jef,

    You mean a backup of ~.private? But if I backup this folder I only see encrypted file and folder names. If I only want to backup for instance my Documents/Work folder I can't select in this folder. If you have a solution please tell my. I'm only a normal user and maybe I don't see the obvious solution. Actually I am using rdiff-backup and a luks encrypted external hard drive.

    By the way: I'm using an encypted home since Jaunty without having any problems. Thanks a lot!

    ReplyDelete
  4. Steffen:

    I think your new comment describes a different scenario than your first comment so I'm not sure I can give you an answer that makes sense because I'm no longer sure I understand what you want to know.

    -jef

    ReplyDelete
  5. Encrypted home, wonderful. Thank you for the clear and instructive article

    Where I really need encryption is on a pendrive Ubuntu installation. Home directory encryption does not work out of the box on a pendrive created with the desktop utility on the menu item "USB Startup Disk Creator" on 9.10.

    Booting from the pendrive, the command "adduser –encrypt-home foo" creates a home directory which is encrypted, but the new user cannot log in. The login process hangs in some gdm "worker" routine, and the login screen reappears. The gdm process for the new user is still there when another user logs in.

    Would this perhaps be different if running usb-creator from the command line and adding the option "--safe"? Can't find what the --safe implies.

    Rgds, Jon Eliot

    ReplyDelete

Please do not use blog comments for support requests! Blog comments do not scale well to this effect.

Instead, please use Launchpad for Bugs and StackExchange for Questions.
* bugs.launchpad.net
* stackexchange.com

Thanks,
:-Dustin