Ubuntu Open Week: Encrypted Private Directories

Brief compilation of irc-chat in the framework of Ubuntu Open Week on the topic "Encrypted Private Directories"

Encrypted personal directories . Speaker: Dustin Kirkland

We have before us a representative of the Ububtu Server Team with a fascinating, but slightly superficial report on the state of affairs in cryptography for end users of Ubuntu. Since the release of Intrepid Ibex, it has become easier for users to keep their little secrets secret. You can easily become a great paranoid like this:


$ sudo apt-get update
$ sudo apt-get install ecryptfs-utils
$ ecryptfs-setup-private

Ok, after installing ecryptfs-utils, the PAM module pam_ecryptfs will appear in the system. When you enter your password when logging in, this module uses it to decrypt the ~ / .ecryptfs / wrapped-passphrase file, which contains the following password phrase to be mounted by the /sbin/mount.ecryptfs_private utility. This setuid utility does what it’s supposed to do with such a name — it mounts ~ / .Private to ~ / Private , using a special file system called ecryptfs . This is an Enterprise Cryptographic Filesystem , developed by guys from IBM. There are other solutions to this plan, for example, encfs, truecrypt, dmcrypt, and others. But ecryptfs was chosen for the implementation of ~ / Private encryption and that is why:

• it is already in the kernel since 2.6.19 in many distros (now .28)
• a lot of experts are working on it, it has been reviewed by the community and distrostroiteley
• it will not disappear, which is important for reliable and long-term data storage
• nuclear cryptography is "theoretically" faster than user space
• based on proven and time-tested "nuclear" encryption algorithms
• Each FS file is encrypted individually, as opposed to block encryption

Oops! Consider the last point, a very controversial statement. After all, other solutions allow you to fully encrypt a partition or even an entire device, for example, a swap partition or an LVM volume. But for the user ~ / Private approach with encryption of each file in the file system separately, there is one significant advantage - an incremental backup of the stored data. For example, a user may simply rsync -aP. Private to a remote server, and will surely be sure that even the root remote backup server will not be able to access the contents of the backup. Well, except to the name of the files that are not yet encrypted in the current implementation. Work on this goes and in Jaunty we can expect the appearance of such a functional.

Question : What happens to ecryptfs with user autologone? Answer : Yes, since you log in automatically, then do not enter the password, so your Private is not mounted properly. But this behavior is provided by the design. But in fact, with autologon, this is what happens: you go into the Private directory by the file manager and see only a link to the application of the form “Access Your Private Data”. The link launches the / usr / bin / ecryptfs-mount-private application, which asks for your login password, then mount it.
Question : What about performance? Answer : The author has no performance problems. He suggests that if you compile to ~ / Private, then perhaps a 10% performance loss may occur. Further, the author reveals a completely rational idea: from the point of view of performance, it is totally to encrypt the whole section, this is one thing, and selecting and placing in ~ / Private sensitive access-hiding data is another. You decide for the safety of what data is willing to pay lower access performance. LVM encryption also requires a password when booting, which is not good for a remote server.
Question : Why not encrypt the entire user house? Answer : They had an idea, but so far not everything is so simple. They will think further, expand the functionality, make it more convenient. Like now? That's how:
ln -s /home/kirkland/Private/.ssh /home/kirkland/.ssh
Q : Will graphical tools be developed? Answer : yes, probably, in Jaunty.
Question : What about physical keys for encryption? Can use USB flash drives to store keys? Answer : ecryptfs supports flexible key management for encryption:

1. pkcs11-helper
2. openssl
3. passphrase
4. tspi

So far only passphrase is used. For starters, you can simply copy ~ / .ecryptfs / wrapped-passphrase to a USB flash drive, then install a symlink on it. Perhaps the idea will be developed in the future! There will also be infrastructure work in Ubunt itself to support OpenGPG hardware cards, Trusted Computing chips, biometrics readers (fingerprint).
')
Next in the chat is a demonstration of a simple example of accessing your data on a guest machine and links to additional information .

The hour set aside for this wonderful topic is over. The author and the listeners exchanged courtesies and said goodbye.