Ubuntu’s Encrypted Home Directory: A Canonical Approach to Data Privacy

How can users protect themselves from the loss of important data when a computer goes missing? Well, the latest release of Ubuntu makes this not only possible, but frighteningly easy!

A friend recently quizzed me about the Encrypted Home Directory feature in Ubuntu, but unfortunately his questions were not due simply to his naturally inquisitive nature.

A week earlier, he was en route to a Free Software conference and boarding a train in Europe after an overnight flight from the United States. In a flash, one thief created a diversion while his partner-in-crime stole my friend’s laptop case.

While not particularly happy about losing his computer, he was far more distraught at his potentially compromised data which included encryption keys, stored website passwords, personal finance information, confidential documents… everything.

This could just as easily happen to anyone. Do you travel with a laptop that contains private information? If so, what is of more value – the physical hardware itself, or the data? There must be a way to protect this highly sensitive material. Fortunately, there is!

Linux and Encryption

Linux users actually have a suite of data encryption options at their disposal. GPG (GNU Privacy Guard) can be used to provide encryption for email and individual files. Whole-disk encryption is available using a combination of LUKS (Linux Unified Key Setup) and dm-crypt (the device mapper encryption module). These two technologies represent merely the most visible tip of the iceberg.

While dozens of file encryption options exist for Linux users, this article focuses on Ubuntu’s use of eCryptfs, the Enterprise Cryptographic File System originally developed in the IBM Linux Technology Center, and now co-maintained with Canonical’s Ubuntu Platform Team. Users of Ubuntu 9.10 can optionally configure eCryptfs to automatically mount and decrypt their home directory at each login.

eCryptfs is a stacked file system in the Linux kernel. Users mount a directory in one file system on top of another. Content read from, and written to, the upper directory exists as decrypted content in memory and is seamlessly accessible to the user and applications.

Files are written to disk in the lower directory as atomic, encrypted units. File names and directory names are encrypted with a single, mount-wide fnek (file name encryption key).

Each encrypted file embeds a unique, randomly generated fek (file encryption key) in the header, wrapped with a separate, mount-wide fekek (file encryption key, encryption key). Keys are managed by the Linux kernel keyring and the encryption is provided by the common ciphers in the kernel.

Why eCryptfs?

Ubuntu’s initiative to utilize eCryptfs originated in the Ubuntu Server Team’s desire to provide an encrypted, private space for administrators without breaking unattended reboots. Typically, full disk encryption blocks the unattended boot process while waiting at a password prompt during start up. This is highly impractical for servers in data centers. Using an eCryptfs PAM (Pluggable Authentication Module) however, the system can load the necessary keys and mount the home directory at login, rather than during boot time.

Per-user unique keys and mounts with eCryptfs can provide additional data privacy and risk-mitigation among administrators and users on a multi-user system. Some users may have an encrypted home, while others may not, and each user’s encrypted home utilizes unique private keys. System resources are focused on encrypting and decrypting specific private data in /home, rather than gigabytes of stock system binaries and libraries in /usr, /lib, and elsewhere.

The eCryptfs layered file system approach also eliminates the need for a dedicated partition, sparse file, or preallocated disk space for the encrypted data. eCryptfs files are written to the administrator’s chosen underlying file system with the total disk capacity available. Since each encrypted file is written to disk as an atomic unit, users can perform per-file incremental encrypted backups to remote storage – something that is impractical and dangerous with block device encryption solutions.

Ubuntu 8.10 and Encrypted Private Directories

Ubuntu 8.10 introduced eCryptfs to mainstream Linux users in the form of an innovative, optional security feature – an Encrypted Private Directory within a user’s home directory. Users of Ubuntu 8.10 (and later) can configure an Encrypted Private Directory by simply running:

$ sudo apt-get install ecryptfs-utils
$ ecryptfs-setup-private
Enter your login passphrase:
Enter your mount passphrase [leave blank to generate one]:
Done configuring.
Testing mount/write/umount/read...
Testing succeeded.
Logout, and log back in to begin using your encrypted directory.

When the user logs into the system, either graphically or on the command line, the encrypted mount is established:

/home/foo/.Private on /home/foo/Private type ecryptfs (ecryptfs_sig=009d8073058734f2, ecryptfs_fnek_sig=d27234f4a296af68, ecryptfs_cipher=aes, ecryptfs_key_bytes=16)

This user can now read and write data in /home/foo/Private like any other directory, with any application. The encryption and decryption happens transparently, on-the-fly. The encrypted data on the physical disk actually lives in /home/foo/.Private. When the user logs out, /home/foo/Private is unmounted and his data is only visible as encrypted content in /home/foo/.Private.

This provides an interesting bit of on-demand security for systems that use the GNOME or KDE auto-login feature. Such users can boot directly into their desktop environment without entering a password, but then consciously store their most confidential information cryptographically in ~/Private, which requires a password to access.

Ubuntu 9.10 and Encrypted Home Directories

Keeping track of what is and is not stored in ~/Private can become impractical if you consider most of your home directory data confidential. But Encrypted Private Directories in Ubuntu 8.10 were well received. The new feature did not introduce any insurmountable problems and has generally been very stable.

For these reasons, Ubuntu 9.04 extended the Encrypted Private Directory feature to cover entire home directories. Ubuntu’s Encrypted Home Directory feature protects the entire contents of home directories with automatic, seamless, on-the-fly encryption. Ubuntu’s traditionally excellent user experience is maintained with a minor performance impact for most workloads and tight integration with the existing Ubuntu Desktop and Server login prompts.

Encrypted Home Directories were only offered to advanced users of Ubuntu 9.04, but as of Ubuntu 9.10, the option is available in all desktop installations. This feature is similar in feel and usability to FileVault on Mac OS X, and is the first of its kind in a major Linux desktop distribution.

How does it Work?

Comments on "Ubuntu’s Encrypted Home Directory: A Canonical Approach to Data Privacy"

Here is an excellent Blog You might Find Fascinating that we encourage you to visit.

It is usually a statement or two identifying why the project is being created. This is where dating advice tips can come in handy.How to Become Successful: The Four Blueprint Success Questions.Here is my web-site – best weight loss Plan

Check beneath, are some totally unrelated sites to ours, however, they’re most trustworthy sources that we use.

Below you will uncover the link to some sites that we believe you ought to visit.

Usually posts some quite interesting stuff like this. If you?re new to this site.

Very couple of web sites that transpire to be comprehensive below, from our point of view are undoubtedly nicely worth checking out.

Here are some of the internet sites we recommend for our visitors.

Although sites we backlink to beneath are considerably not associated to ours, we really feel they’re basically really worth a go via, so possess a look.

That will be the finish of this report. Right here you?ll find some web sites that we assume you?ll enjoy, just click the links.

The time to study or stop by the content material or sites we’ve linked to beneath.

Below you?ll discover the link to some web sites that we feel you ought to visit.

We came across a cool website that you may well get pleasure from. Take a search in the event you want.

Every once inside a while we choose blogs that we study. Listed below are the most current sites that we pick.

We like to honor a lot of other online internet sites on the web, even though they aren?t linked to us, by linking to them. Underneath are some webpages worth checking out.

One of our guests recently recommended the following website.

Just beneath, are a lot of completely not connected web-sites to ours, even so, they may be surely worth going over.

Please check out the sites we follow, like this one, because it represents our picks through the web.

We came across a cool web page that you just could possibly love. Take a appear in the event you want.

Here are a number of the internet sites we recommend for our visitors.

Had so much trouble with our previous SEO company we hired,been reading up on it in my spare time and next time I will employ someone in-house to do itDo you participate in any social sites?

One of our visitors not long ago advised the following website.

Below you will locate the link to some internet sites that we feel you’ll want to visit.

Usually posts some extremely intriguing stuff like this. If you?re new to this site.

Here are several of the sites we recommend for our visitors.

Below you will locate the link to some websites that we assume you should visit.

We came across a cool web page that you may well get pleasure from. Take a appear when you want.

The facts mentioned within the article are several of the ideal offered.

That could be the end of this post. Here you will come across some internet sites that we feel you will value, just click the hyperlinks.

Wonderful story, reckoned we could combine a few unrelated data, nonetheless genuinely really worth taking a search, whoa did 1 understand about Mid East has got extra problerms also.

Always a significant fan of linking to bloggers that I enjoy but do not get a lot of link love from.

The time to read or pay a visit to the subject material or internet sites we’ve linked to beneath.

Every once in a when we opt for blogs that we read. Listed beneath are the most current websites that we decide on.

Here is a good Blog You might Discover Interesting that we encourage you to visit.

The info talked about within the write-up are some of the top available.

We came across a cool site that you may possibly take pleasure in. Take a appear when you want.

I truly appreciate this blog.Thanks Again. Cool.

Leave a Reply