EncryptedHomeDirectory

Differences between revisions 1 and 7 (spanning 6 versions)
Revision 1 as of 2008-12-02 20:23:37
Size: 2753
Editor: rrcs-71-42-114-254
Comment: initial page creation
Revision 7 as of 2008-12-03 01:02:36
Size: 5570
Editor: cpe-66-68-12-58
Comment: updated migration section
Deletions are marked like this. Additions are marked like this.
Line 8: Line 8:
Based on the delivery of EncryptedPrivateDirectory in Ubuntu Intrepid, this specification describes the next steps to extend that work to provide a seamless mechanism for encrypting a user's entire home directory. Based on the delivery of EncryptedPrivateDirectory in Ubuntu Intrepid, this specification describes the next steps to extend that work to provide a seamless mechanism for encrypting a user's entire home directory, mounting it on login, and un-mounting it on the last logout.
Line 12: Line 12:
This section should include a paragraph describing the end-user impact of this change. It is meant to be included in the release notes of the first release in which it is implemented. (Not all of these will actually be included in the release notes, at the release manager's discretion; but writing them is a useful exercise.)

It is mandatory.
The Ubuntu Jaunty Jackalope (9.04) release will enable per-user home directory encryption, automatically mounting it on login, and un-mounting it on the last logout of the user.
Line 18: Line 16:
This should cover the _why_: why is this change being proposed, what justifies it, where we see this justified. The EncryptedPrivateDirectory work proved the usefulness and stability of the Linux kernel's ecryptfs cryptographic filesystem. Encrypting only ~/Private directory, however, requires Ubuntu users to consciously store sensitive data in that location, and manually linking that data to traditionally locations.
Line 22: Line 20:
See the use cases for:
 * https://wiki.ubuntu.com/EncryptedPrivateDirectory#Use%20Cases

Encrypted home directories will provide a more complete solution to encrypting all of the user's unique data, while not requiring the performance penalty of encrypting all of the data on the entire system and not requiring a passphrase to boot an unattended system.
Line 23: Line 26:

Users of encrypted home directories are willing to pay the minor performance penalty incurred by encrypting/decrypting their data in the home directory in exchange for data security on the disk.
 * We should get some formal filesystem benchmarks against an encrypted home directory.

Users will record their mount passphrase in a safe location, such that they can retrieve their data manually if necessary.
 * We need to state this clearly on user creation, and provide a graphical utility for retrieving said mount passphrase and allowing the user to print/record it.

Swap space will be encrypted.
 * https://blueprints.launchpad.net/ubuntu/+spec/encrypted-swap-by-default
Line 26: Line 38:
You can have subsections that better describe specific parts of the issue. The eCryptfs Linux kernel cryptographic filesystem was chosen as the implementation mechanism for several reasons:
 1. This is the same technology developed and proven in the Intrepid release in the EncryptedPrivateDirectory specification.
 1. The underlying cryptographic data is encrypted on a per-file basis, and as such, it is possible to incrementally sync changes to the encrypted data to remote backup systems.
 1. Since it is an overlay virtual filesystem, no predetermined disk allocation is necessary for the encrypted mountpoint. Rather, the same amount of available disk space available to a normal home directory is available to the encrypted home directory.
Line 30: Line 45:
This section should describe a plan of action (the "how") to implement the changes discussed. Could include subsections like: === ecryptfs-utils ===

The functionality for bootstrapping a user's home directory for encryption has been released in the upstream ecryptfs-utils-67 release. This needs to be merged into Ubuntu Jaunty.

=== adduser ===

Following the merge of ecryptfs-utils-67+ into Jaunty, the adduser utility should be patched to support a --encrypt-home option. A patch is attached to Bug:302870.

=== gnome-system-tools ===

Similar to the patch for adduser, the graphical user adding tools need to be enhanced to support the adduser --encrypt-home option.

=== The Installers ===

The Ubuntu alternate/server installer already supports creating an encrypted ~/Private directory on install. This debconf text should be modified to prompt for an encrypted home directory (encrypted ~/Private will still be available post-install). And the adduser call should be enhanced to use --encrypt-home (and not call ecryptfs-setup-private).

Ubiquity should be modified to add a check-box to the user creation page, reflecting the --encrypt-home option. Note that this option will need to be mutually exclusive of the Auto-Login option.
Line 34: Line 65:
Should cover changes required to the UI, or specific UI that is required to implement this

=== Code Changes ===

Code changes should include an overview of what needs to change, and in some cases even the specific details.
Most of the UI changes involved should be handled by a separate, but related blueprint:
 * https://blueprints.launchpad.net/ecryptfs/+spec/ecryptfs-desktop-ui
Line 42: Line 70:
Include:
 * data migration, if any
 * redirects from old URLs to new ones, if any
 * how users will be pointed to the new way of doing things, if necessary.
Migration of data from a non-encrypted home directory to an encrypted home directory is a dangerous operation. As such, I will carefully document the procedure for doing so, but I do not believe it safe to provide a script to do so automatically.

This will be discussed at UDS San Francisco.

Summary

Based on the delivery of EncryptedPrivateDirectory in Ubuntu Intrepid, this specification describes the next steps to extend that work to provide a seamless mechanism for encrypting a user's entire home directory, mounting it on login, and un-mounting it on the last logout.

Release Note

The Ubuntu Jaunty Jackalope (9.04) release will enable per-user home directory encryption, automatically mounting it on login, and un-mounting it on the last logout of the user.

Rationale

The EncryptedPrivateDirectory work proved the usefulness and stability of the Linux kernel's ecryptfs cryptographic filesystem. Encrypting only ~/Private directory, however, requires Ubuntu users to consciously store sensitive data in that location, and manually linking that data to traditionally locations.

Use Cases

See the use cases for:

Encrypted home directories will provide a more complete solution to encrypting all of the user's unique data, while not requiring the performance penalty of encrypting all of the data on the entire system and not requiring a passphrase to boot an unattended system.

Assumptions

Users of encrypted home directories are willing to pay the minor performance penalty incurred by encrypting/decrypting their data in the home directory in exchange for data security on the disk.

  • We should get some formal filesystem benchmarks against an encrypted home directory.

Users will record their mount passphrase in a safe location, such that they can retrieve their data manually if necessary.

  • We need to state this clearly on user creation, and provide a graphical utility for retrieving said mount passphrase and allowing the user to print/record it.

Swap space will be encrypted.

Design

The eCryptfs Linux kernel cryptographic filesystem was chosen as the implementation mechanism for several reasons:

  1. This is the same technology developed and proven in the Intrepid release in the EncryptedPrivateDirectory specification.

  2. The underlying cryptographic data is encrypted on a per-file basis, and as such, it is possible to incrementally sync changes to the encrypted data to remote backup systems.
  3. Since it is an overlay virtual filesystem, no predetermined disk allocation is necessary for the encrypted mountpoint. Rather, the same amount of available disk space available to a normal home directory is available to the encrypted home directory.

Implementation

ecryptfs-utils

The functionality for bootstrapping a user's home directory for encryption has been released in the upstream ecryptfs-utils-67 release. This needs to be merged into Ubuntu Jaunty.

adduser

Following the merge of ecryptfs-utils-67+ into Jaunty, the adduser utility should be patched to support a --encrypt-home option. A patch is attached to 302870.

gnome-system-tools

Similar to the patch for adduser, the graphical user adding tools need to be enhanced to support the adduser --encrypt-home option.

The Installers

The Ubuntu alternate/server installer already supports creating an encrypted ~/Private directory on install. This debconf text should be modified to prompt for an encrypted home directory (encrypted ~/Private will still be available post-install). And the adduser call should be enhanced to use --encrypt-home (and not call ecryptfs-setup-private).

Ubiquity should be modified to add a check-box to the user creation page, reflecting the --encrypt-home option. Note that this option will need to be mutually exclusive of the Auto-Login option.

UI Changes

Most of the UI changes involved should be handled by a separate, but related blueprint:

Migration

Migration of data from a non-encrypted home directory to an encrypted home directory is a dangerous operation. As such, I will carefully document the procedure for doing so, but I do not believe it safe to provide a script to do so automatically.

This will be discussed at UDS San Francisco.

Test/Demo Plan

As of 2008-12-02, you can test this by:

  1. Install the adduser and ecryptfs-utils packages in the following PPA:

  2. Add a user with an encrypted home directory as root, with:
    •  # adduser --encrypt-home testuser 

  3. Login as testuser on the console, through the GUI, and via ssh. Ensure that all programs work as expected. Log out of the console/GUI/ssh. Ensure that the home directory is not mounted and that the data stored in /home/testuser/.Private is encrypted.

Unresolved issues

There are two other specifications, solving related issues:

Discussion

Please post questions to:


CategorySpec

EncryptedHomeDirectory (last edited 2009-04-07 21:12:29 by nat-stumcr)