dcsimg

Ubuntu’s Encrypted Home Directory: A Canonical Approach to Data Privacy

How can users protect themselves from the loss of important data when a computer goes missing? Well, the latest release of Ubuntu makes this not only possible, but frighteningly easy!

A friend recently quizzed me about the Encrypted Home Directory feature in Ubuntu, but unfortunately his questions were not due simply to his naturally inquisitive nature.

A week earlier, he was en route to a Free Software conference and boarding a train in Europe after an overnight flight from the United States. In a flash, one thief created a diversion while his partner-in-crime stole my friend’s laptop case.

While not particularly happy about losing his computer, he was far more distraught at his potentially compromised data which included encryption keys, stored website passwords, personal finance information, confidential documents… everything.

This could just as easily happen to anyone. Do you travel with a laptop that contains private information? If so, what is of more value – the physical hardware itself, or the data? There must be a way to protect this highly sensitive material. Fortunately, there is!

Linux and Encryption

Linux users actually have a suite of data encryption options at their disposal. GPG (GNU Privacy Guard) can be used to provide encryption for email and individual files. Whole-disk encryption is available using a combination of LUKS (Linux Unified Key Setup) and dm-crypt (the device mapper encryption module). These two technologies represent merely the most visible tip of the iceberg.

While dozens of file encryption options exist for Linux users, this article focuses on Ubuntu’s use of eCryptfs, the Enterprise Cryptographic File System originally developed in the IBM Linux Technology Center, and now co-maintained with Canonical’s Ubuntu Platform Team. Users of Ubuntu 9.10 can optionally configure eCryptfs to automatically mount and decrypt their home directory at each login.

eCryptfs is a stacked file system in the Linux kernel. Users mount a directory in one file system on top of another. Content read from, and written to, the upper directory exists as decrypted content in memory and is seamlessly accessible to the user and applications.

Files are written to disk in the lower directory as atomic, encrypted units. File names and directory names are encrypted with a single, mount-wide fnek (file name encryption key).

Each encrypted file embeds a unique, randomly generated fek (file encryption key) in the header, wrapped with a separate, mount-wide fekek (file encryption key, encryption key). Keys are managed by the Linux kernel keyring and the encryption is provided by the common ciphers in the kernel.

Why eCryptfs?

Ubuntu’s initiative to utilize eCryptfs originated in the Ubuntu Server Team’s desire to provide an encrypted, private space for administrators without breaking unattended reboots. Typically, full disk encryption blocks the unattended boot process while waiting at a password prompt during start up. This is highly impractical for servers in data centers. Using an eCryptfs PAM (Pluggable Authentication Module) however, the system can load the necessary keys and mount the home directory at login, rather than during boot time.

Per-user unique keys and mounts with eCryptfs can provide additional data privacy and risk-mitigation among administrators and users on a multi-user system. Some users may have an encrypted home, while others may not, and each user’s encrypted home utilizes unique private keys. System resources are focused on encrypting and decrypting specific private data in /home, rather than gigabytes of stock system binaries and libraries in /usr, /lib, and elsewhere.

The eCryptfs layered file system approach also eliminates the need for a dedicated partition, sparse file, or preallocated disk space for the encrypted data. eCryptfs files are written to the administrator’s chosen underlying file system with the total disk capacity available. Since each encrypted file is written to disk as an atomic unit, users can perform per-file incremental encrypted backups to remote storage – something that is impractical and dangerous with block device encryption solutions.

Ubuntu 8.10 and Encrypted Private Directories

Ubuntu 8.10 introduced eCryptfs to mainstream Linux users in the form of an innovative, optional security feature – an Encrypted Private Directory within a user’s home directory. Users of Ubuntu 8.10 (and later) can configure an Encrypted Private Directory by simply running:

$ sudo apt-get install ecryptfs-utils
$ ecryptfs-setup-private
Enter your login passphrase:
Enter your mount passphrase [leave blank to generate one]:
************************************************************************
YOU SHOULD RECORD THIS MOUNT PASSPHRASE AND STORE IN A SAFE LOCATION:
3770637d136fa485d22e36ab8c94afb1
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************
Done configuring.
Testing mount/write/umount/read...
Testing succeeded.
Logout, and log back in to begin using your encrypted directory.

When the user logs into the system, either graphically or on the command line, the encrypted mount is established:

/home/foo/.Private on /home/foo/Private type ecryptfs (ecryptfs_sig=009d8073058734f2, ecryptfs_fnek_sig=d27234f4a296af68, ecryptfs_cipher=aes, ecryptfs_key_bytes=16)

This user can now read and write data in /home/foo/Private like any other directory, with any application. The encryption and decryption happens transparently, on-the-fly. The encrypted data on the physical disk actually lives in /home/foo/.Private. When the user logs out, /home/foo/Private is unmounted and his data is only visible as encrypted content in /home/foo/.Private.

This provides an interesting bit of on-demand security for systems that use the GNOME or KDE auto-login feature. Such users can boot directly into their desktop environment without entering a password, but then consciously store their most confidential information cryptographically in ~/Private, which requires a password to access.

Ubuntu 9.10 and Encrypted Home Directories

Keeping track of what is and is not stored in ~/Private can become impractical if you consider most of your home directory data confidential. But Encrypted Private Directories in Ubuntu 8.10 were well received. The new feature did not introduce any insurmountable problems and has generally been very stable.

For these reasons, Ubuntu 9.04 extended the Encrypted Private Directory feature to cover entire home directories. Ubuntu’s Encrypted Home Directory feature protects the entire contents of home directories with automatic, seamless, on-the-fly encryption. Ubuntu’s traditionally excellent user experience is maintained with a minor performance impact for most workloads and tight integration with the existing Ubuntu Desktop and Server login prompts.

Encrypted Home Directories were only offered to advanced users of Ubuntu 9.04, but as of Ubuntu 9.10, the option is available in all desktop installations. This feature is similar in feel and usability to FileVault on Mac OS X, and is the first of its kind in a major Linux desktop distribution.

How does it Work?

Comments on "Ubuntu’s Encrypted Home Directory: A Canonical Approach to Data Privacy"

Very handful of internet sites that transpire to become in depth beneath, from our point of view are undoubtedly very well really worth checking out.

The info mentioned inside the write-up are a number of the most effective available.

Check beneath, are some entirely unrelated web-sites to ours, even so, they’re most trustworthy sources that we use.

Although internet sites we backlink to below are considerably not related to ours, we feel they are in fact worth a go by way of, so have a look.

Check below, are some absolutely unrelated internet sites to ours, on the other hand, they may be most trustworthy sources that we use.

Although sites we backlink to below are considerably not related to ours, we really feel they may be really worth a go via, so have a look.

Every the moment inside a even though we choose blogs that we study. Listed below are the most current web-sites that we decide on.

Usually posts some extremely exciting stuff like this. If you are new to this site.

Everything will likely be achieved one hundred% protected and secure.So what are you ready for?my weblog clash royale hack

Wonderful story, reckoned we could combine a couple of unrelated information, nonetheless definitely worth taking a appear, whoa did one particular discover about Mid East has got more problerms too.

Wonderful story, reckoned we could combine some unrelated information, nevertheless actually worth taking a search, whoa did a single master about Mid East has got a lot more problerms at the same time.

Usually posts some pretty interesting stuff like this. If you?re new to this site.

We came across a cool web-site that you just may possibly appreciate. Take a search in case you want.

Usually posts some pretty fascinating stuff like this. If you are new to this site.

The time to study or visit the content material or internet sites we’ve linked to beneath.

The time to study or visit the content or websites we have linked to beneath.

That is the finish of this post. Right here you will locate some websites that we believe you will value, just click the hyperlinks.

Usually posts some incredibly exciting stuff like this. If you are new to this site.

Just beneath, are a lot of completely not connected sites to ours, even so, they are certainly worth going over.

One of our visitors not too long ago recommended the following website.

Below you will come across the link to some internet sites that we think you need to visit.

Below you will find the link to some web sites that we believe it is best to visit.

Here are some hyperlinks to web sites that we link to mainly because we feel they may be really worth visiting.

Usually posts some extremely intriguing stuff like this. If you?re new to this site.

Very handful of internet sites that come about to become detailed below, from our point of view are undoubtedly nicely really worth checking out.

Here are some hyperlinks to sites that we link to since we consider they may be worth visiting.

The details mentioned inside the article are some of the ideal available.

Here are some links to web pages that we link to due to the fact we think they are really worth visiting.

Here is a great Blog You might Find Interesting that we encourage you to visit.

Here is a great Weblog You might Find Exciting that we encourage you to visit.

Check beneath, are some totally unrelated internet websites to ours, even so, they may be most trustworthy sources that we use.

Here are some hyperlinks to web sites that we link to because we believe they may be really worth visiting.

Here are a number of the web-sites we suggest for our visitors.

The time to read or check out the material or internet sites we’ve linked to beneath.

Here are a number of the internet sites we advise for our visitors.

Very couple of web-sites that come about to be in depth below, from our point of view are undoubtedly well really worth checking out.

The time to study or go to the material or web-sites we’ve linked to below.

Wonderful story, reckoned we could combine several unrelated information, nevertheless seriously really worth taking a appear, whoa did 1 study about Mid East has got additional problerms as well.

That would be the end of this report. Right here you will come across some web-sites that we feel you?ll appreciate, just click the hyperlinks.

Every when inside a when we opt for blogs that we read. Listed below are the newest web sites that we decide on.

We like to honor lots of other internet web sites on the internet, even though they aren?t linked to us, by linking to them. Beneath are some webpages worth checking out.

Very few internet sites that take place to be comprehensive beneath, from our point of view are undoubtedly properly really worth checking out.

Here are some of the websites we recommend for our visitors.

One of our guests not too long ago suggested the following website.

Here are several of the sites we suggest for our visitors.

Just beneath, are numerous totally not related internet sites to ours, even so, they are certainly really worth going over.

Please take a look at the web-sites we stick to, such as this a single, as it represents our picks in the web.

Always a massive fan of linking to bloggers that I love but really don’t get a lot of link love from.

The data talked about within the write-up are several of the top available.

Here are several of the web-sites we recommend for our visitors.

Leave a Reply