Comments on: Ubuntu’s Encrypted Home Directory: A Canonical Approach to Data Privacy

By: frodo

frodo — Fri, 04 Oct 2013 03:04:19 +0000

can I still run programs like sbackup

yep.

if you encrypt the home, and log in, it will be unencrypted to your eyes. you can do as you wish with the files.
i use a Private folder with manual mount so even logged in, my stuff is encrypted unless i change it.

when power is off your setup will protect your home folder from view, mine will only protect the Private folder. my only wish list contains multiple folders.

By: green sleeves

green sleeves — Fri, 23 Aug 2013 06:19:06 +0000

Once the home directory is encrypted can I still run programs like sbackup to make unencrypted backups?

By: online casinos Canada

online casinos Canada — Mon, 06 May 2013 18:12:50 +0000

Hi! I realize this is kind of off-topic but I had to ask. Does managing a well-established website such as yours
require a lot of work? I’m completely new to writing a blog however I do write in my journal every day. I’d like to start
a blog so I will be able to share my own experience and thoughts online.
Please let me know if you have any suggestions or tips
for brand new aspiring blog owners. Appreciate
it!

By: willard

willard — Tue, 18 Sep 2012 06:26:01 +0000

@justwally: This is not true, either legally or in practice. Millions of individuals carry around encrypted folders, partitions and entire drives for many reasons. Anyone carrying HIPAA data, for example. It is not a basis for any search or seizure. Please do not spread disinformation on this point, as it has a chilling effect on the decision to encrypt.

By: Hans-Christoph Steiner

Hans-Christoph Steiner — Sun, 08 Jul 2012 03:43:25 +0000

Thanks for this, very helpful! I believe there is a small error in the terminal commands. I think this line:

sudo ln -s /home/.ecryptfs/$USER/.ecryptfs /home/$USER.new/.ecryptfs

Should actually read:

sudo ln -s /home/.ecryptfs/$USER /home/$USER.new/.ecryptfs

By: Conor Schaefer

Conor Schaefer — Sun, 24 Jul 2011 23:44:06 +0000

If it’s using full-disk encryption, then you’re fine not using a login password. That way you still have to type your password in during a reboot, but only once, and that very quickly after boot.

By: desnotes

desnotes — Wed, 30 Nov -0001 00:00:00 +0000

Seems like a much better method than the encryption method used on my work laptop. After every reboot, I need to type in a password in addition to the login password.

By: davidmintz

davidmintz — Wed, 30 Nov -0001 00:00:00 +0000

Sounds like a wonderful idea for laptops that travel, but kind of a PITA, e.g., for a desktop at home that you like to access frequently via SSH because, as the article says,

\"if the home directory is not already mounted then automatic desktop logins, ssh public key authentication and cronjobs that require access to data in $HOME are not possible. This issue can be worked around by disabling automatic unmount (remove $HOME/.ecryptfs/auto-umount), logging in, and establishing the mount at some point prior to public key authentication or cronjob execution. However, the home directory will only be unmounted at shutdown, or when ecryptfs-umount-private is invoked directly.\"

I don\'t completely understand the workaround but, again, it sounds kind of painful.

By: ionutg

ionutg — Wed, 30 Nov -0001 00:00:00 +0000

Shouldn\’t be that difficult to combine with ssh remote logins if one uses the pam_mount module. I haven\’t used pam_mount with eCryptfs yet, but it should be possible according to

http://wiki.archlinux.org/index.php/System_Encryption_with_eCryptfs

By: bobberm

bobberm — Wed, 30 Nov -0001 00:00:00 +0000

Looks like a recipe for disaster. I have had a bad experience with encrypting a drive, the algorithm appeared to have a bug, it was encrypted allright, but impossible to recover. If you try this, you MAY want to take that backup of your unencrypted data you made and keep it in a safe somewhere. Encryption algorithms are complicated and sometimes fail. Bobby B.

By: blanik

blanik — Wed, 30 Nov -0001 00:00:00 +0000

Just how secure is Ubuntu\'s new encrypted home directory system, when it is installed using Ubuntu\'s default configuration ? Your article includes a nice explanation of how you can boot the PC using a Ubuntu LiveCD, and then recover the data.

Am I missing something here ? To me it looks like a \"bad guy\" who wanted to steal the confidential information stored on the notebook computer that he has just stolen could have access to your encrypted home partition data in a matter of minutes....

Your article suggests that you can make it harder for the bad guy by implementing two-factor authentication - \"simplymove $HOME/.ecryptfs/wrapped-passphrase to removable media (such as a USB key or flash disk)\".

Yes this approach does put the wrapped passphrase on a USB Key or similar device, but all of these security measures are still reliant upon the thief not getting hold of the USB Key at the same time as the Notebook Computer is stolen. What are the odds that the User will end up storing the USB Key in the Laptop Bag, just so that they make sure that they always have the USB Key with them when they travel.

The concept of using the USB Key also raises a potential personal safety issue for the Computer User. If the thief has found a victim using a notebook computer, at say a coffee shop, the thief will also note that when the user shutdown the PC prior to leaving the Coffee Shop, that the user unplugged a USB Key and hung it around his neck or somewhere else on their person. Odds On - the thief, when he/she makes a move to distract you and steal your notebook computer, will also do a pick pocket job on your USB Key......

So - am I missing something ? Or does Ubuntu\'s new encrypted home directory functionality only protect your data against an honest thief, who knows nothing about Linux, and ideally who wouldn\'t also think to steal your USB Key at the same time they steal your Notebook computer ?????

By: webmanaus

webmanaus — Wed, 30 Nov -0001 00:00:00 +0000

To recover your data, you will require the encryption key which you were instructed to \"write down, print, etc and store in a *secure* location\". So simply booting from a live CD doesn\'t give you anything more than access to the encrypted data (ie, useless).

Secondly, a lot of people store data on USB keys, when they shutdown, they remove the USB key and drop it in:
1) Laptop bag
2) Pocket
3) Keyring/etc/whatever

Unless you are being specifically targeted (ie, the thief knows where you work, and knows you have access to the data they are after) then they would only be interested in the re-sale value of the hardware. As such, the re-sale value of a USB key is negligible and so definitely not worth any additional risk.

The point of the above would be to ensure that the thief and/or recipient/purchaser of your laptop can\'t accidentally stumble across the fact that they have complete access to \"Some Corporate Server Farm\" or \"Some Users\" bank account details complete with passwords, or personal home movie collection, or whatever...

PS, the truly serious thief targeting the theft of a specific users laptop will go after the USB key, probably won\'t be concerned with threatening your safety, etc and if all else fails, will use automated decryption tools to access your decrypted data in 6 months or however long it would take. (BTW, anyone know how long it would take to brute force this type of encryption?)

PPS, This is definitely something I will be enabling on my laptops as soon as I install Ubuntu 9.10 which I am eagerly awaiting!

Regards,
Adam

www.websitemanagers.com.au

By: justwally

justwally — Wed, 30 Nov -0001 00:00:00 +0000

It is important to note that the mere presence of an encrypted volume or directory is enough of a reason (in and of itself) for your computer to be indefinitely seized in the US. Just so everyone is aware of this. \”Encryption\” _IS_ the probable cause in these instances.

By: dragonwisard

dragonwisard — Wed, 30 Nov -0001 00:00:00 +0000

@justwally: If we can advocate for encryption to become the default option in common operating systems (which I don\’t think is unreasonable in today\’s climate of data breeches and privacy concerns) encryption would no longer be grounds for probable cause.

By: pannsoln

pannsoln — Wed, 30 Nov -0001 00:00:00 +0000

I\'ve just tried the recovery, and the method described doesn\'t work. You need to create the directories in /mnt (that\'s not a problem).

But sudo chroot /mnt gives the error:
cannot run command \'/bin/bash\": No such directory.

And su - foo (using the correct name for the user) also gives an error.

And ecrypt-mount-private says:
Encrypted private directory is not setup properly.

I have tried everything that I can think of, but to no avail. My /home is mounted on a separate directory, so I also have tried variations to cope with that, but it still doesn\'t work!

It seems impossible to find anywhere that documents how to recover an encrypted directory!

By: perfmonk

perfmonk — Wed, 30 Nov -0001 00:00:00 +0000

Mr pannsoln,

If you want to use a chroot, your should mount the root \"/\" inside your mount point. Since, from the jail, you wont see any directory from your $PATH... Thus you can\'t see /bin/bash either.

if you want to chroot inside /mnt, before do #: mount -o bind / /mnt
and create a mount point for any other mount that you want accessible from inside /mnt and mount them the same way.

The problem is not Ubuntu. It\'s just a little misunderstanding.

Regards,
BT