How can users protect themselves from the loss of important data when a computer goes missing? Well, the latest release of Ubuntu makes this not only possible, but frighteningly easy!
When the user logs into their Ubuntu 9.10 system with an Encrypted Home Directory, their system password is used to decrypt a strong, randomly generated mount passphrase. This design allows them to change their system password, while eCryptfs simply re-wraps the mount passphrase without needing to re-encrypt all of the home directory contents.
The decrypted mount passphrase is then hashed using SHA-512 (Secure Hashing Algorithm) to generate the fekek and fnek. These two keys are then loaded into the user’s session keyring. The Linux kernel uses the fnek to encrypt and decrypt file and directory names. The kernel then applies the fekek to file headers in order to extract and insert each file’s unique fek. Finally, the kernel uses the fek to encrypt and decrypt file contents. While eCryptfs supports several of the cryptographic ciphers available in the Linux kernel, Ubuntu setups use AES-128 (Advanced Encryption Standard) by default.
The additional CPU time required to handle this encryption and decryption is often less than the obligatory I/O (input/output) latency of modern hard disk and solid state drives. In some performance testing, the impact of Encrypted Private Directories was less than 2% for common workloads. This is generally not noticeable at run time, but might add roughly a second or so to the login process while setting up the encrypted mount point.
Ubuntu 9.10 Desktop Installation
At step 6 of 8 in of the Ubuntu installer dialogue, there will be a new third radio button offering an option to “Require a password to log in and decrypt your home folderâ€.
Ubuntu 9.10 Server and Alternate Installations
In the curses based Ubuntu Server and Alternate installers, an informative prompt will offer home directory encryption to the installing user:
Ubuntu 9.10 Post Installation
It is absolutely critical that users immediately install all Ubuntu security updates following an installation, and keep your system up to date!
It is also essential that the user records their randomly generated mount passphrase. Write it down, print it out, escrow it to a trusted server or service, store in your safety deposit box. This key, rather than your system log in password, is absolutely required if you need to restore your data from backup or migrate your data elsewhere.
On the first boot of a new Ubuntu Desktop installation, the user will be prompted to record their mount passphrase.
On Ubuntu Server installations without a graphical interface, users will need to manually extract and record their mount passphrase using the following command:
ecryptfs-unwrap-passphrase $HOME/wrapped-passphrase
Ubuntu 9.10 Running Systems
New users can be added to running Ubuntu 9.10 systems, with an Encrypted Home Directory, by using the following command:
sudo adduser –encrypt-home foo
Ubuntu 9.10 Live Migration to an Encrypted Home Directory
In most cases, it is possible to convert an existing user’s home directory to an Encrypted Home Directory.
To be safe, a complete backup copy of the presently non-encrypted data should first be made to another system or external media. It is possible that the migration process might result in data loss or lock the user out of the system, if things go wrong.
Ensure that there is sufficient disk space available to perform the backup. To make a full copy, aim for a little more than double the current disk usage of the home directory. Assuming the copy and encryption succeeds with complete access to the now encrypted data, you can later recover that space by deleting the backed up unencrypted data.
Check the usage of the home directory via the following commands:
du -sh $HOME
df -h $HOME
These instructions require administrator (sudo) access. Also, any existing $HOME/Private directory must be empty. If there is already some data in the $HOME/Private directory, move all of these files and directories out of the way and then follow the instructions displayed after running:
ecryptfs-setup-private --undo
Exit all desktop sessions. Ensure that there are no other processes on the system reading and/or writing data to that specific home directory. Perform all of the following instructions by logging in as the user through SSH (Secure Shell) or at a TTY terminal (Ctrl-Alt-F1):
ecryptfs-setup-private
Next, log out and log back in to ensure that $HOME/Private is mounted:
exit
login
mount | grep "$USER.*ecryptfs"
The result of that mount command should display the mounted directory. Next, use a tool such as rsync to copy all the data from the home directory to the new Encrypted Private Directory. If the home directory is large, this step might take a long time. Be very wary of any errors at this point. This is the most essential step in these instructions as all data must come across correctly. It is a good idea to re-run this rsync command a few times:
rsync -aP --exclude=.Private --exclude=Private --exclude=.ecryptfs \
$HOME/ $HOME/Private/
Synchronize the changes to disk, unmount, log out:
sync
ecryptfs-umount-private
exit
Now, log back in and setup the eCryptfs configuration directory:
ecryptfs-umount-private
cd /
sudo mkdir -p /home/.ecryptfs/$USER
sudo mv $HOME/.ecryptfs /home/.ecryptfs/$USER
Setup the new, unmounted home directory:
sudo mkdir -p -m 700 /home/$USER.new
sudo chown $USER:$USER /home/$USER.new
sudo mv $HOME/.Private /home/.ecryptfs/$USER
sudo ln -s /home/.ecryptfs/$USER/.ecryptfs /home/$USER.new/.ecryptfs
Move the backup of the old, unencrypted home directory out of the way:
sudo mv $HOME $HOME.old
“Activate” the new, unmounted home directory by renaming it:
sudo mv /home/$USER.new $HOME
echo $HOME > $HOME/.ecryptfs/Private.mnt
sudo ln -s /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt \
$HOME/README.txt
sudo chmod 500 $HOME
Logout, and log back in. Ensure that $HOME is mounted, and that there is a symbolic link to the configuration directory:
exit
mount | grep "$USER.*ecryptfs"
ln -s /home/.ecryptfs/$USER/.ecryptfs $HOME/.ecryptfs
Carefully check all of the home directory data, ensuring that everything is in order. Once you are completely confident that the migration worked, reclaim some disk space by removing the backup of the old, non-encrypted data:
rm -rf $HOME.old
If any of the above steps fail, installing Ubuntu 9.10 from scratch and enabling the Encrypted Home Directory option might be easiest. Then afterwards, simple copy the data from the unencrypted backup into the new user’s home (make sure that the backup is on external media, or if not, then ensure that the partition containing it is not formatted during installation!).
Remote Backups of Encrypted Data
Limitless network data storage is among the prominent features of Cloud Computing services, such as Ubuntu One. Data privacy in the Cloud, however, is a concern of many Cloud customers. eCryptfs provides an interesting advantage to Cloud storage users. Encrypted Home Directory users can conveniently and incrementally synchronize the encrypted contents of their $HOME/.Private directory to remote storage and rest assured that no other user, intruder, or even administrator of the remote Cloud storage can access the decrypted contents.
Data Recovery
Comments on "Ubuntu’s Encrypted Home Directory: A Canonical Approach to Data Privacy"
Seems like a much better method than the encryption method used on my work laptop. After every reboot, I need to type in a password in addition to the login password.
If it’s using full-disk encryption, then you’re fine not using a login password. That way you still have to type your password in during a reboot, but only once, and that very quickly after boot.
Sounds like a wonderful idea for laptops that travel, but kind of a PITA, e.g., for a desktop at home that you like to access frequently via SSH because, as the article says,
\”if the home directory is not already mounted then automatic desktop logins, ssh public key authentication and cronjobs that require access to data in $HOME are not possible. This issue can be worked around by disabling automatic unmount (remove $HOME/.ecryptfs/auto-umount), logging in, and establishing the mount at some point prior to public key authentication or cronjob execution. However, the home directory will only be unmounted at shutdown, or when ecryptfs-umount-private is invoked directly.\”
I don\’t completely understand the workaround but, again, it sounds kind of painful.
Shouldn\’t be that difficult to combine with ssh remote logins if one uses the pam_mount module. I haven\’t used pam_mount with eCryptfs yet, but it should be possible according to
http://wiki.archlinux.org/index.php/System_Encryption_with_eCryptfs
Looks like a recipe for disaster. I have had a bad experience with encrypting a drive, the algorithm appeared to have a bug, it was encrypted allright, but impossible to recover. If you try this, you MAY want to take that backup of your unencrypted data you made and keep it in a safe somewhere. Encryption algorithms are complicated and sometimes fail. Bobby B.
Just how secure is Ubuntu\’s new encrypted home directory system, when it is installed using Ubuntu\’s default configuration ? Your article includes a nice explanation of how you can boot the PC using a Ubuntu LiveCD, and then recover the data.
Am I missing something here ? To me it looks like a \”bad guy\” who wanted to steal the confidential information stored on the notebook computer that he has just stolen could have access to your encrypted home partition data in a matter of minutes….
Your article suggests that you can make it harder for the bad guy by implementing two-factor authentication – \”simplymove $HOME/.ecryptfs/wrapped-passphrase to removable media (such as a USB key or flash disk)\”.
Yes this approach does put the wrapped passphrase on a USB Key or similar device, but all of these security measures are still reliant upon the thief not getting hold of the USB Key at the same time as the Notebook Computer is stolen. What are the odds that the User will end up storing the USB Key in the Laptop Bag, just so that they make sure that they always have the USB Key with them when they travel.
The concept of using the USB Key also raises a potential personal safety issue for the Computer User. If the thief has found a victim using a notebook computer, at say a coffee shop, the thief will also note that when the user shutdown the PC prior to leaving the Coffee Shop, that the user unplugged a USB Key and hung it around his neck or somewhere else on their person. Odds On – the thief, when he/she makes a move to distract you and steal your notebook computer, will also do a pick pocket job on your USB Key……
So – am I missing something ? Or does Ubuntu\’s new encrypted home directory functionality only protect your data against an honest thief, who knows nothing about Linux, and ideally who wouldn\’t also think to steal your USB Key at the same time they steal your Notebook computer ?????
To recover your data, you will require the encryption key which you were instructed to \”write down, print, etc and store in a *secure* location\”. So simply booting from a live CD doesn\’t give you anything more than access to the encrypted data (ie, useless).
Secondly, a lot of people store data on USB keys, when they shutdown, they remove the USB key and drop it in:
1) Laptop bag
2) Pocket
3) Keyring/etc/whatever
Unless you are being specifically targeted (ie, the thief knows where you work, and knows you have access to the data they are after) then they would only be interested in the re-sale value of the hardware. As such, the re-sale value of a USB key is negligible and so definitely not worth any additional risk.
The point of the above would be to ensure that the thief and/or recipient/purchaser of your laptop can\’t accidentally stumble across the fact that they have complete access to \”Some Corporate Server Farm\” or \”Some Users\” bank account details complete with passwords, or personal home movie collection, or whatever…
PS, the truly serious thief targeting the theft of a specific users laptop will go after the USB key, probably won\’t be concerned with threatening your safety, etc and if all else fails, will use automated decryption tools to access your decrypted data in 6 months or however long it would take. (BTW, anyone know how long it would take to brute force this type of encryption?)
PPS, This is definitely something I will be enabling on my laptops as soon as I install Ubuntu 9.10 which I am eagerly awaiting!
Regards,
Adam
http://www.websitemanagers.com.au
It is important to note that the mere presence of an encrypted volume or directory is enough of a reason (in and of itself) for your computer to be indefinitely seized in the US. Just so everyone is aware of this. \”Encryption\” _IS_ the probable cause in these instances.
@justwally: This is not true, either legally or in practice. Millions of individuals carry around encrypted folders, partitions and entire drives for many reasons. Anyone carrying HIPAA data, for example. It is not a basis for any search or seizure. Please do not spread disinformation on this point, as it has a chilling effect on the decision to encrypt.
@justwally: If we can advocate for encryption to become the default option in common operating systems (which I don\’t think is unreasonable in today\’s climate of data breeches and privacy concerns) encryption would no longer be grounds for probable cause.
I\’ve just tried the recovery, and the method described doesn\’t work. You need to create the directories in /mnt (that\’s not a problem).
But sudo chroot /mnt gives the error:
cannot run command \’/bin/bash\”: No such directory.
And su – foo (using the correct name for the user) also gives an error.
And ecrypt-mount-private says:
Encrypted private directory is not setup properly.
I have tried everything that I can think of, but to no avail. My /home is mounted on a separate directory, so I also have tried variations to cope with that, but it still doesn\’t work!
It seems impossible to find anywhere that documents how to recover an encrypted directory!
Mr pannsoln,
If you want to use a chroot, your should mount the root \”/\” inside your mount point. Since, from the jail, you wont see any directory from your $PATH… Thus you can\’t see /bin/bash either.
if you want to chroot inside /mnt, before do #: mount -o bind / /mnt
and create a mount point for any other mount that you want accessible from inside /mnt and mount them the same way.
The problem is not Ubuntu. It\’s just a little misunderstanding.
Regards,
BT
Thanks for this, very helpful! I believe there is a small error in the terminal commands. I think this line:
sudo ln -s /home/.ecryptfs/$USER/.ecryptfs /home/$USER.new/.ecryptfsShould actually read:
sudo ln -s /home/.ecryptfs/$USER /home/$USER.new/.ecryptfsHi! I realize this is kind of off-topic but I had to ask. Does managing a well-established website such as yours
require a lot of work? I’m completely new to writing a blog however I do write in my journal every day. I’d like to start
a blog so I will be able to share my own experience and thoughts online.
Please let me know if you have any suggestions or tips
for brand new aspiring blog owners. Appreciate
it!
Once the home directory is encrypted can I still run programs like sbackup to make unencrypted backups?
can I still run programs like sbackup
yep.
if you encrypt the home, and log in, it will be unencrypted to your eyes. you can do as you wish with the files.
i use a Private folder with manual mount so even logged in, my stuff is encrypted unless i change it.
when power is off your setup will protect your home folder from view, mine will only protect the Private folder. my only wish list contains multiple folders.