Tuesday, November 3, 2009

Register Bloodied by Lack of Research


Typically, I read and respect The Register. They usually run intriguing technology articles that make me think.

I'm quite disappointed with today's carelessly researched piece:
Specifically, these paragraphs regarding eCryptfs:

Encryption proved a hurdle for Ubuntu forum member XXXX, who decried the lack of automation on encrypting his home partition.

"I had chosen to encrypt the home partition when installing 9.04 and then wasn't able to get the passphrase command to complete the encryption process to work properly," XXXX wrote.

Finally, after a late night and getting some advice online, XXXX wrote: "I certainly wish the encryption mounting process was more automated like everything else is!!"

Lack of automation? In Ubuntu 9.10, encrypting your home directory is a matter of selecting a check box in the installer:


That's it. 9.04 Encrypted Home upgrading users simply run update-manager and upgrade all packages to 9.10. Their home directory encryption is not affected by this.

The author of this article found one post in the Ubuntu Forums poorly articulating an issue with home directory encryption and suddenly Ubuntu 9.10 users are getting "bloodied" by encryption in Ubuntu? Seriously?

The Register, we are expecting more from you...

:-Dustin

16 comments:

  1. But come on, it's ubuntu. No one uses that thing. >.< If it was windows no doubt anyone complaining is an idiot. ;)

    ReplyDelete
  2. You should write the the Register and ask for clarification. In a lot of countries probably Microsoft's marketing departments placed articles like that. In 2 German magazines they published an article which said that Kubuntu does not have an update mechanism, a firewall, ...

    ReplyDelete
  3. I've been thinking about thanking you --more precisely: you, Canonical, and all the Ubuntu/upstream contributors to this feature-- since my 9.10 install, so I guess it's a good occasion to say it here.

    eCryptfs integration in 9.10 plain rocks. I tried lots of encryption software, and for the first time I'm fully satisfied. A breeze to set up, nothing to maintain, decent performance, and totally transparent. Thanks.

    ReplyDelete
  4. Cheers, guys! That means a lot!

    :-Dustin

    ReplyDelete
  5. The comment about "not being able to get the passphrase command to complete" refers to, I imagine, the prompt you get when first booting with an encrypted home folder that asks for a passphrase. Perhaps the user hit some weird error at this point? To be honest it's a step I wasn't expecting; after selecting encrypted home folder during installation (and telling it that yes, it should use my password to unlock my home parition), why did I have to enter a password on first boot? Couldn't it use my login password? It was all very easy, but not quite as seemless as advertised.

    ReplyDelete
  6. Perhaps user XXXX was meaning the passphrase information dialogue on first boot? I know I am running Xubuntu and have never gotten the dialogue to run and I wonder if it is calling only gnome-terminal and not (in my case) xfce-terminal. I just thought I would chime in on that front, but plan on putting in an entry on launchpad about it. Perhaps calling alternative's x-terminal-emulator instead?

    I do love ecryptfs and think it is rock solid. You are doing GREAT work, Dustin!

    ReplyDelete
  7. iknowjoseph-

    Hi, thanks for the info. It doesn't make sense to encrypt your home directory without prompting for your passphrase. Otherwise, the "bad guys" would just boot your computer and get your data. The passphrase is absolutely necessary. Perhaps we need to explain this more clearly in the installer or documentation.

    :-Dustin

    ReplyDelete
  8. presgas-

    Thanks, I do need to look into the XFCE issue.

    :-Dustin

    ReplyDelete
  9. I just commented on confirmed bug here:
    https://bugs.launchpad.net/ecryptfs/+bug/365796

    ReplyDelete
  10. Dustin, I accept that, I was just expecting the setup to be more tied to the user creation procedure, so that the passphrase I chose for my login would also be used to decrypt my home directory.

    Sorry, I should have thanked you for the feature in my original comment; I think it's fantastic and probably the main reason I updated to 9.10 instead of my usual policy of "wait a bit until I can be bothered to update, then find myself woefully behind".

    I'm not criticizing the fact that I was asked for a passphrase, it's just not something I was expecting (yes, it seems obvious now) and is possibly the step this original poster was complaining about. Having said that, a pretty dialogue box would have looked nicer than the terminal prompt ;-)

    Cheers, Joseph

    ReplyDelete
  11. iknowjoseph-

    It *is* your login passphrase that's used to decrypt your home directory. Actually, to be precise, your login passphrase is used to decrypt a second, long, randomly generated "mount" passphrase. This is far more secure than your chosen login passphrase. Also, this is what allows you to change your login passphrase as much as you want. When you do so, we only have re-encrypt your mount passphrase, rather than every single file in your home directory.

    The prompt you get on your first login is to record this randomly generated passphrase. You shouldn't ever need this, *unless* you have to recover your data from a backup. In this case, this passphrase will be critically important.

    :-Dustin

    ReplyDelete
  12. The Register have made total twats of themselves! I've been running 9.10 since alpha4 - no problems, everything form graphic, to sound to even brightness works out of the box on my Sony SZ770 - believe me, I've been through more distros than I can remember, the best by far is 9.10 when it comes to my laptop.

    ReplyDelete
  13. Hi,
    I think you are over-reacting to the article. Sure, the headline is controversial, but that is expected of grab-your-attention-media. The article contains other examples of upgrade/install problems with Koala, not just the single encryption example.

    After following the link to http://ubuntuforums.org/showthread.php?t=1305924 I was relieved to find that I was not alone. I have been using Ubuntu for 3 years now, and after upgrading to 9.10 I have had multiple problems (including the flickering screen, kernel problems, and failure to run encryption, amongst others).

    While trying to understand why my system will not unencrypt files anymore is how I got to your blog site. I have learnt a lot (I am still waiting for the "linux learning plateau" that everyone states), but will have to endure multiple problems until certain bugs are fixed.
    Cheers, Ludik

    ReplyDelete
  14. Ronan: "eCryptfs integration in 9.10 plain rocks. I tried lots of encryption software, and for the first time I'm fully satisfied. A breeze to set up, nothing to maintain, decent performance, and totally transparent."

    1. With that setup, swap is luks-encrypted, but tmp is not. One would have to fix that manually. I ran strings on some files in tmp after the install and found contents of gnome notes there left by a desktop search utility.

    2. fstab uses UUID but crypttab uses device names for swap, like /dev/sdb2. What would happen if the OS is on a USB drive and you boot it from a computer with an extra hard drive so that the correct device is now sdc2? I was not able to fix that, because the "/dev/disk/by-uuid" mechanism now works only once. On the next boot the uuid of the swap (or tmp) partition disappears. Is there a way to fix this?

    ReplyDelete
  15. Can anyone tell me if encrypted and non-encrypted home directories can co-exist in Ubuntu 9.10 Karmic Koala? I have a shared family account right now, but want to setup another account just for me that has its home directory encrypted. Will this work?

    Thanks for the great blog!

    ReplyDelete
  16. datagrab-

    Yes, each independent user on the system can either have an encrypted home directory, or not, under Ubuntu.

    :-Dustin

    ReplyDelete

Please do not use blog comments for support requests! Blog comments do not scale well to this effect.

Instead, please use Launchpad for Bugs and StackExchange for Questions.
* bugs.launchpad.net
* stackexchange.com

Thanks,
:-Dustin