tag:blogger.com,1999:blog-3822757291061444396.post5926468874013092325..comments2024-02-27T03:14:00.412-06:00Comments on From the Canyon Edge: Jaunty Encrypted Home DirectoriesDustin Kirklandhttp://www.blogger.com/profile/12464590128908584782noreply@blogger.comBlogger23125tag:blogger.com,1999:blog-3822757291061444396.post-52947535835229181482011-04-26T07:39:50.393-05:002011-04-26T07:39:50.393-05:00I think security and usefulness of Ubuntu system d...I think security and usefulness of Ubuntu system depends upon a good deal on what we do to enable users and their privileges. Without falling into the minutia and the mundane, it is most important to at least understand how users are handled in the Ubuntu GNU/Linux environment. The points describes in the post are very helpful, thanks Dustin for the huge info.USB Encryptionhttp://www.lok-it.net/encrypted-flash-drive/noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-36940874546420719452011-02-11T08:10:59.900-06:002011-02-11T08:10:59.900-06:00I think the two big announcements on encryption ho...I think the two big announcements on encryption home directory & file names are really awesome. An encryption is a set like having a virus scanner running in the background on Windows all the time. With this new version now we can also encrypt other sensitive data. It is much easier to install and the important Caveats helps me a lot to make my task easy.J (Encrypted Flash Drive Guy)http://www.lok-it.net/encrypted-flash-drive/noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-75649863644167772882010-05-01T11:45:34.337-05:002010-05-01T11:45:34.337-05:00Hi Dustin,
Every six months, I am tempted to try ...Hi Dustin,<br /><br />Every six months, I am tempted to try out an encrypted Home directory from a clean Ubuntu installation (rather than symlinking to a Private mount point), but I simply don't trust it. I can't sleep at night unless I have recovered from simulated failure several times. Given the nature of encrypted data, I can't be the only paranoid user. Perhaps an advanced tab would be helpful which included, among other things, the ability to choose our own mount passphrase.<br /><br />Cheers,<br />AlexAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-89914178398198470112010-03-10T23:06:33.791-06:002010-03-10T23:06:33.791-06:00Per here: http://ubuntu-virginia.ubuntuforums.org/...Per here: http://ubuntu-virginia.ubuntuforums.org/showthread.php?p=8456663<br /><br />After you unmount your encrypted home and create ~/.ssh/authorized_keys:<br /><br />Create file /etc/sshrc, add this:<br /><br />if test -e $HOME/.ecryptfs/auto-mount; then<br /> mount | grep "$HOME type ecryptfs"<br /> if test $? != 0; then<br /> ecryptfs-mount-private<br /> cd $HOME<br /> source ~/.[bashrc|cshrc|zshrc|etc] <br /> # equals whatever shell you use!<br /> fi<br />fi<br /><br />If you use keychain (SSH passphrase caching app using ssh-agent) and add it to your .bashrc so it starts on login, it will remain resident and you will not be prompted for your password until next reboot. This means your home directory is unencrypted even though you're not logged in though, so beware!jthhttps://www.blogger.com/profile/10483661198345556707noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-52268738700499497962009-06-10T08:13:36.246-05:002009-06-10T08:13:36.246-05:00I'm trying to create a new user with encrypted...I'm trying to create a new user with encrypted home dir using 9.04 live on some usb pen drive with persistence. Using "sudo adduser --encrypt-home foo_user" the account is created just fine, but I cannot graphically login because gdm doesn't start. I can only login using the console.Unknownhttps://www.blogger.com/profile/10372966797304094130noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-87161884796120419672009-05-24T10:14:03.135-05:002009-05-24T10:14:03.135-05:00(I had difficulty posting this, I hope I didn't po...(I had difficulty posting this, I hope I didn't post same msg over and over again)<br /><br />Hi Dustin,<br />I chose "encrypt home directory" during Jaunty installation, and I have two questions regarding encryption. <br />When I boot with LiveCD to laptop, I cannot mount the /home directory in laptop's harddrive. That's good but when I do:<br />dd if=/dev/sdaX | strings<br />I can see printable text in that partition. So, I thought the contents of files are encrypted not only their headers. So, aren't the contents of files encrypted?<br />Second question is that, I'm seeing many ecryptfs related error or warning messages in /var/log , these are the most frequent ones:<br />- Warning: Using default salt value (undefined in ~/.ecryptfsrc) <br /> - ecryptfs_add_passphrase_key_to_keyring: Error adding auth tok with sig [xxxxxxxxxxxx] to the keyring; rc = [1] <br /> - ecryptfs_add_passphrase_key_to_keyring: Error adding auth tok with sig [yyyyyyyyyyyy] to the keyring; rc = [1] <br /><br />Are these normal messages, or smt wrong in my setup?<br />By the way, I don't have the file you mention in your blog, ~/.wrapped-passphrase, instead I have ~/.ecryptfs/wrapped-passphrase. Is this normal?Alperhttps://www.blogger.com/profile/10532312856664776498noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-46643080463767826992009-05-19T00:41:00.000-05:002009-05-19T00:41:00.000-05:00Home directory encryption seems to be linked to a ...Home directory encryption seems to be linked to a user's password in a non-functional way. I created a user with an encrypted home directory and then later changed that user's password. When I logged out and back in, I no longer saw any of my previous home directory files (I had a functional but default home directory).<br /><br />Changing the password back to what it was when I set up the encrypted home directory restored all of my files and settings, but it should be possible to change your password when using this feature.<br /><br />This glitch made me think that it might actually be trivial to add a "panic" password (which would open to a default home directory) to this system as well as the regular one (which would open the encrypted home directory files).Unknownhttps://www.blogger.com/profile/01240861360420171154noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-51822066096791424492009-05-15T19:29:00.000-05:002009-05-15T19:29:00.000-05:00Ok, I have a HUGE problem right now. I just had to...Ok, I have a HUGE problem right now. I just had to reinstall Jaunty (due to driver issues) and now I can't access my files.<br /><br />I have my /home folder on a separate partition, so I didn't even think twice about reinstalling my OS. Now it seems that the encryption key (encrypted by my login password) is actually stored in /var/lib/ecryptfs/user?!?<br /><br />Is there ANY way to recover my encryption key? All my files are still there, I just can't open any of them and very few actually got backed up.<br /><br />If someone can even give me a command to grep my hard drive for a pattern that matches something that would be in the cypher file, it would be greatly appreciated since there is a *slim* chance it may still be there.<br /><br />If I am correct about they way the key is stored, please consider my case when revising your system and put the keys in the "/home" folder!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-31051835300029032602009-05-07T17:59:00.000-05:002009-05-07T17:59:00.000-05:00Any instructions to convert existing unencrypted h...Any instructions to convert existing unencrypted home to encrypted one ?<br /><br />Thanks<br /><br />KarthikUnknownhttps://www.blogger.com/profile/12162291761824127053noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-15829515436052761082009-05-07T17:58:00.000-05:002009-05-07T17:58:00.000-05:00Any updates on moving an existing users home direc...Any updates on moving an existing users home directory to an encrypted one ?Unknownhttps://www.blogger.com/profile/12162291761824127053noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-50774793895462924692009-05-03T11:56:00.000-05:002009-05-03T11:56:00.000-05:00Hi Dustin, any news about this?
"I will provide s...Hi Dustin, any news about this?<br /><br /><I>"I will provide some step-by-step instructions (and maybe a script?) here in my blog--stay tuned!"</I>I upgraded from Intrepid to Jaunty and I would really like to move from private directory to encrypted home directory, but I don't know how to do it... :|<br /><br />Thanks!!<br /><br />GiordanoGiordanohttps://www.blogger.com/profile/02852945935312046466noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-21581494887249983472009-03-18T07:32:00.000-05:002009-03-18T07:32:00.000-05:00I'm now installing alpha 6 with encrypted home.Wow...I'm now installing alpha 6 with encrypted home.<BR/>Wow, this is great, I waited 2years on this feature, and I'm really happy to see it in the jaunty installer...<BR/><BR/>Nice work Dustin, Thank you so much!Jenshttps://www.blogger.com/profile/09454941370274769911noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-25570788994517109672009-02-28T19:05:00.000-06:002009-02-28T19:05:00.000-06:00Hi gotgenes-For a full response, see: * http://blo...Hi gotgenes-<BR/><BR/>For a full response, see:<BR/> * http://blog.dustinkirkland.com/2009/02/how-encrypted-home-ecryptfs-works.html<BR/><BR/>Cheers,<BR/>:-DustinDustin Kirklandhttps://www.blogger.com/profile/12464590128908584782noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-18200066405290895992009-02-28T18:43:00.000-06:002009-02-28T18:43:00.000-06:00Ok, thanks for the info. :)Ok, thanks for the info. :)Stoffehttps://www.blogger.com/profile/03446533645972681768noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-7876846821268447312009-02-28T18:29:00.000-06:002009-02-28T18:29:00.000-06:00Stoffe-There is a performance impact. In some cas...Stoffe-<BR/><BR/>There is a performance impact. In some cases, it's negligible, but in others, it's not. It really depends on what you're doing.<BR/><BR/>Michael Larabel of Phoronix has been running some numbers. See:<BR/> * http://global.phoronix-test-suite.com/?k=profile&u=phorocrypt-16497-10491-19665<BR/><BR/>On my dual-core/4GB Thinkpad, the performance hit is absolutely unnoticeable. On single Atom or Celeron processor, though, it might be a bit more trying.<BR/><BR/>Some users have reported that the initial login authentication is very slow on Asus EEE PC's with encrypted home directories:<BR/> * https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/295429<BR/><BR/>Cheers,<BR/>:-DustinDustin Kirklandhttps://www.blogger.com/profile/12464590128908584782noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-90868447567043298402009-02-28T18:22:00.000-06:002009-02-28T18:22:00.000-06:00Dave-Please read the whole post ;-) "The desktop ...Dave-<BR/><BR/>Please read the whole post ;-)<BR/><BR/> "The desktop installation is only<BR/> slightly more complex. Boot the LiveCD<BR/> installer, and preseed a special<BR/> value...<BR/> user-setup/encrypt-home=true<BR/> ..."<BR/><BR/>:-DustinDustin Kirklandhttps://www.blogger.com/profile/12464590128908584782noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-90449362316569783142009-02-28T18:21:00.000-06:002009-02-28T18:21:00.000-06:00Hi Ryan-If you're already logged into the syst...Hi Ryan-<BR/><BR/>If you're already logged into the system elsewhere (on the desktop, another ssh session, etc), public key will work.<BR/><BR/>However, you're correct. If you trying to start a brand new session, your ~/.ssh/authorized_keys file will not be available.<BR/><BR/>You could work around this by creating a .ssh/authorized_keys file in your unmounted home directory. You could do something like the following:<BR/><BR/> $ cd /<BR/> $ ecryptfs-umount-private<BR/> $ chmod 700 $HOME<BR/> $ mkdir $HOME/.ssh<BR/> $ chmod 500 $HOME<BR/> $ chmod 700<BR/> $ echo $PUBKEY $HOME/.ssh >> /authorized_keys<BR/> $ ecryptfs-mount-private<BR/><BR/>:-DustinDustin Kirklandhttps://www.blogger.com/profile/12464590128908584782noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-49168800408120221852009-02-28T16:14:00.000-06:002009-02-28T16:14:00.000-06:00Very cool. So does this mean there's now a separat...Very cool. So does this mean there's now a separation of a user's password from the user's decryption password? This was an issue brought up in your <A HREF="http://blog.dustinkirkland.com/2008/12/ubuntu-jaunty-encrypted-home.html" REL="nofollow">previous post</A>--oftentimes we want our encrypted data passphrase to be significantly longer than our user passphrase.Anonymoushttps://www.blogger.com/profile/01078483442220289712noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-65842609545570126382009-02-28T15:54:00.000-06:002009-02-28T15:54:00.000-06:00What impact on performance does this have? I'm esp...What impact on performance does this have? I'm especially interested in knowing how having an encrypted home directory would affect a netbook such as say the Asus EEE PC 1000h or the HP 2133. I'm looking at buying something like one of those in the coming week and will put Ubuntu on it. But since these machines are low-end already... any ideas?Stoffehttps://www.blogger.com/profile/03446533645972681768noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-47823247251577987132009-02-28T14:41:00.000-06:002009-02-28T14:41:00.000-06:00Dustin I think in Alpha 5 the encrypted home was r...Dustin I think in Alpha 5 the encrypted home was removed from the live cd. You might want to check it out.Dave Morleyhttps://www.blogger.com/profile/10352882263842452908noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-5121989119256049552009-02-27T23:38:00.000-06:002009-02-27T23:38:00.000-06:00Update: I downloaded a daily build and successfull...Update: I downloaded a daily build and successfully installed that in my VM with encrypted home directory. So ether the newer build fixed the problem, or more likely PEBKAC.crashsystemshttps://www.blogger.com/profile/01823864302965314007noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-9966294299871646002009-02-27T22:10:00.000-06:002009-02-27T22:10:00.000-06:00Is this in the installer as of alpha 5? I just boo...Is this in the installer as of alpha 5? I just booted into alpha 5 in my VM, making sure to tack on that book parameter, and did not see the encrypted home option in the installer. Might I have been doing something wrong?crashsystemshttps://www.blogger.com/profile/01823864302965314007noreply@blogger.comtag:blogger.com,1999:blog-3822757291061444396.post-56496556840654536992009-02-27T20:34:00.000-06:002009-02-27T20:34:00.000-06:00Won't fully encrypted home directories also disabl...Won't fully encrypted home directories also disable sshing into a system with public key authentication?Unknownhttps://www.blogger.com/profile/07229605153355714851noreply@blogger.com