How can users protect themselves from the loss of important data when a computer goes missing? Well, the latest release of Ubuntu makes this not only possible, but frighteningly easy!
When the user logs into their Ubuntu 9.10 system with an Encrypted Home Directory, their system password is used to decrypt a strong, randomly generated mount passphrase. This design allows them to change their system password, while eCryptfs simply re-wraps the mount passphrase without needing to re-encrypt all of the home directory contents.
The decrypted mount passphrase is then hashed using SHA-512 (Secure Hashing Algorithm) to generate the fekek and fnek. These two keys are then loaded into the user’s session keyring. The Linux kernel uses the fnek to encrypt and decrypt file and directory names. The kernel then applies the fekek to file headers in order to extract and insert each file’s unique fek. Finally, the kernel uses the fek to encrypt and decrypt file contents. While eCryptfs supports several of the cryptographic ciphers available in the Linux kernel, Ubuntu setups use AES-128 (Advanced Encryption Standard) by default.
The additional CPU time required to handle this encryption and decryption is often less than the obligatory I/O (input/output) latency of modern hard disk and solid state drives. In some performance testing, the impact of Encrypted Private Directories was less than 2% for common workloads. This is generally not noticeable at run time, but might add roughly a second or so to the login process while setting up the encrypted mount point.
Ubuntu 9.10 Desktop Installation
At step 6 of 8 in of the Ubuntu installer dialogue, there will be a new third radio button offering an option to â€œRequire a password to log in and decrypt your home folderâ€.
Ubuntu 9.10 Server and Alternate Installations
In the curses based Ubuntu Server and Alternate installers, an informative prompt will offer home directory encryption to the installing user:
Ubuntu 9.10 Post Installation
It is absolutely critical that users immediately install all Ubuntu security updates following an installation, and keep your system up to date!
It is also essential that the user records their randomly generated mount passphrase. Write it down, print it out, escrow it to a trusted server or service, store in your safety deposit box. This key, rather than your system log in password, is absolutely required if you need to restore your data from backup or migrate your data elsewhere.
On the first boot of a new Ubuntu Desktop installation, the user will be prompted to record their mount passphrase.
On Ubuntu Server installations without a graphical interface, users will need to manually extract and record their mount passphrase using the following command:
Ubuntu 9.10 Running Systems
New users can be added to running Ubuntu 9.10 systems, with an Encrypted Home Directory, by using the following command:
sudo adduser â€“encrypt-home foo
Ubuntu 9.10 Live Migration to an Encrypted Home Directory
In most cases, it is possible to convert an existing user’s home directory to an Encrypted Home Directory.
To be safe, a complete backup copy of the presently non-encrypted data should first be made to another system or external media. It is possible that the migration process might result in data loss or lock the user out of the system, if things go wrong.
Ensure that there is sufficient disk space available to perform the backup. To make a full copy, aim for a little more than double the current disk usage of the home directory. Assuming the copy and encryption succeeds with complete access to the now encrypted data, you can later recover that space by deleting the backed up unencrypted data.
Check the usage of the home directory via the following commands:
du -sh $HOME
df -h $HOME
These instructions require administrator (sudo) access. Also, any existing $HOME/Private directory must be empty. If there is already some data in the $HOME/Private directory, move all of these files and directories out of the way and then follow the instructions displayed after running:
Exit all desktop sessions. Ensure that there are no other processes on the system reading and/or writing data to that specific home directory. Perform all of the following instructions by logging in as the user through SSH (Secure Shell) or at a TTY terminal (Ctrl-Alt-F1):
Next, log out and log back in to ensure that $HOME/Private is mounted:
mount | grep "$USER.*ecryptfs"
The result of that mount command should display the mounted directory. Next, use a tool such as rsync to copy all the data from the home directory to the new Encrypted Private Directory. If the home directory is large, this step might take a long time. Be very wary of any errors at this point. This is the most essential step in these instructions as all data must come across correctly. It is a good idea to re-run this rsync command a few times:
rsync -aP --exclude=.Private --exclude=Private --exclude=.ecryptfs \
Synchronize the changes to disk, unmount, log out:
Now, log back in and setup the eCryptfs configuration directory:
sudo mkdir -p /home/.ecryptfs/$USER
sudo mv $HOME/.ecryptfs /home/.ecryptfs/$USER
Setup the new, unmounted home directory:
sudo mkdir -p -m 700 /home/$USER.new
sudo chown $USER:$USER /home/$USER.new
sudo mv $HOME/.Private /home/.ecryptfs/$USER
sudo ln -s /home/.ecryptfs/$USER/.ecryptfs /home/$USER.new/.ecryptfs
Move the backup of the old, unencrypted home directory out of the way:
sudo mv $HOME $HOME.old
“Activate” the new, unmounted home directory by renaming it:
sudo mv /home/$USER.new $HOME
echo $HOME > $HOME/.ecryptfs/Private.mnt
sudo ln -s /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt \
sudo chmod 500 $HOME
Logout, and log back in. Ensure that $HOME is mounted, and that there is a symbolic link to the configuration directory:
mount | grep "$USER.*ecryptfs"
ln -s /home/.ecryptfs/$USER/.ecryptfs $HOME/.ecryptfs
Carefully check all of the home directory data, ensuring that everything is in order. Once you are completely confident that the migration worked, reclaim some disk space by removing the backup of the old, non-encrypted data:
rm -rf $HOME.old
If any of the above steps fail, installing Ubuntu 9.10 from scratch and enabling the Encrypted Home Directory option might be easiest. Then afterwards, simple copy the data from the unencrypted backup into the new user’s home (make sure that the backup is on external media, or if not, then ensure that the partition containing it is not formatted during installation!).
Remote Backups of Encrypted Data
Limitless network data storage is among the prominent features of Cloud Computing services, such as Ubuntu One. Data privacy in the Cloud, however, is a concern of many Cloud customers. eCryptfs provides an interesting advantage to Cloud storage users. Encrypted Home Directory users can conveniently and incrementally synchronize the encrypted contents of their $HOME/.Private directory to remote storage and rest assured that no other user, intruder, or even administrator of the remote Cloud storage can access the decrypted contents.