From the Canyon Edge -- :-Dustin

Tuesday, July 31, 2012

Data Security and Key Management in the Cloud

Key management in cloud computing presents a brand new, unique, and distinct set of challenges which are in many cases disparate from the traditional set of key management problems system administrators have been dealing with for decades in physical data centers.  In fact, this very topic, in conjunction with data security and privacy, is the subject of two presentations I’m giving in the next 30 days at:

How are you managing your most sensitive information stored in the Cloud? Are you encrypting that data? Where are you storing your cryptographic keys and certificates? And who has access to them? If you have a stake in your organization's security, these questions may be keeping you up at night.

Cloud storage and Big Data present significant opportunities for enterprises, but those opportunities bring several huge challenges. In this session, we’ll explore:
  • What's not secure, not acceptable, not working --- but totally pervasive!
  • Where encryption makes the most sense around Cloud and Big Data applications
  • Key sprawl in the cloud
  • The strengths and weaknesses of various key management options
  • Easing the pain - Recent innovations for managing keys and company secrets
  • Real-world use cases – from web servers to encrypted file systems to big data to SSH to SSL
I hope you’ll join me for one or both of these talks!


Tuesday, July 17, 2012

ecryptfs-utils-99 released

ecryptfs-utils (99-0ubuntu1) quantal; urgency=low

  [ Dustin Kirkland ]
  * debian/ecryptfs-utils.postinst: LP: #936093
    - ensure desktop file is executable
  * precise

  [ Wesley Wiedenmeier ]
  * src/utils/mount.ecryptfs.c: LP: #329264
    - remove old hack, that worked around a temporary kernel regression;
      ensure that all mount memory is mlocked

  [ Sebastian Krahmer ]
  * src/pam_ecryptfs/pam_ecryptfs.c: LP: #732614
    - drop group privileges in the same places that user privileges are
    - check return status of setresuid() calls and return if they fail
    - drop privileges before checking for the existence of
      ~/.ecryptfs/auto-mount to prevent possible file existence leakage
      by a symlink to a path that typically would not be searchable by
      the user
    - drop privileges before reading salt from the rc file to prevent the
      leakage of root's salt and, more importantly, using the incorrect salt
    - discovered, independently, by Vasiliy Kulikov and Sebastian Krahmer
  * src/pam_ecryptfs/pam_ecryptfs.c: LP: #1020904
    - after dropping privileges, clear the environment before executing the
      private eCryptfs mount helper
    - discovered by Sebastian Krahmer
  * src/utils/mount.ecryptfs_private.c: LP: #1020904
    - do not allow private eCryptfs mount aliases to contain ".." characters
      as a preventative measure against a crafted file path being used as an
    - force the MS_NOSUID mount flag to protect against user controlled lower
      filesystems, such as an auto mounted USB drive, that may contain a
      setuid-root binary
      + CVE-2012-3409
    - force the MS_NODEV mount flag
    - after dropping privileges, clear the environment before executing umount
    - discovered by Sebastian Krahmer

  [ Tyler Hicks ]
  * src/libecryptfs/key_management.c: LP: #732614
    - zero statically declared buffers to prevent the leakage of stack
      contents in the case of a short file read
    - discovered by Vasiliy Kulikov
  * src/libecryptfs/module_mgr.c, src/pam_ecryptfs/pam_ecryptfs.c:
    - fix compiler warnings

Date: Fri, 13 Jul 2012 09:52:36 -0500
Changed-By: Dustin Kirkland

Friday, July 13, 2012

Let's celebrate the 100th release of eCryptfs utils!

Howdy all!

It's hard to believe that it's been almost 7 years since many of you helped conceive, design, implement, develop extend, test, document eCryptfs back in the IBM Linux Technology Center's Security team, with many more contributions following from Canonical, Red Hat, Intel, etc.

Over those 7 years, we have helped many of the rest of you reading this secure your private data.  Today, there are actually millions of eCryptfs users -- through Ubuntu (and other Linux distrosencrypted home directories, Google's ChromeOS, Synology and Seagate encrypted NAS devices, some Android phones, Gazzang's cloud and big data encryption products, among others.

With the 100th release of the user space eCryptfs utilities (ecryptfs-utils), we'd like to take the opportunity to invite any contributors or users of eCryptfs for a celebration!

Gazzang is providing drinks and snacks on its rooftop (and air-conditioned lobby) in downtown Austin, at 8th and Congress, with great views of the Texas state capitol and all of downtown.  Please join us at 804 Congress Avenue, Suite 400, from 5pm-8pm on Thursday, August 2, 2012.  This is the day before the Texas Linux Fest in San Antonio, so perhaps we might see a few out of town guests join us...  I happen to know at least one guest of honor who will be in from out of town for this event ;-)

Hopefully you'll join some of your colleagues around the Linux, open source, security, encryption, key management and data privacy space for an informal get together here in central Texas!

Dustin Kirkland
eCryptfs co-maintainer