EncryptedHomeDirectory
2695
Comment:
|
3678
updated use cases, design
|
Deletions are marked like this. | Additions are marked like this. |
Line 8: | Line 8: |
Based on the delivery of EncryptedPrivateDirectory in Ubuntu Intrepid, this specification describes the next steps to extend that work to provide a seamless mechanism for encrypting a user's entire home directory. | Based on the delivery of EncryptedPrivateDirectory in Ubuntu Intrepid, this specification describes the next steps to extend that work to provide a seamless mechanism for encrypting a user's entire home directory, mounting it on login, and un-mounting it on the last logout. |
Line 12: | Line 12: |
The Ubuntu Jaunty Jackalope (9.04) release will enable per-user home directory encryption. | The Ubuntu Jaunty Jackalope (9.04) release will enable per-user home directory encryption, automatically mounting it on login, and un-mounting it on the last logout of the user. |
Line 20: | Line 20: |
See the use cases for: * https://wiki.ubuntu.com/EncryptedPrivateDirectory#Use%20Cases Encrypted home directories will provide a more complete solution to encrypting all of the user's unique data, while not requiring the performance penalty of encrypting all of the data on the entire system and not requiring a passphrase to boot an unattended system. |
|
Line 24: | Line 29: |
You can have subsections that better describe specific parts of the issue. | The eCryptfs Linux kernel cryptographic filesystem was chosen as the implementation mechanism for several reasons: 1. This is the same technology developed and proven in the Intrepid release in the EncryptedPrivateDirectory specification. 1. The underlying cryptographic data is encrypted on a per-file basis, and as such, it is possible to incrementally sync changes to the encrypted data to remote backup systems. 1. Since it is an overlay virtual filesystem, no predetermined disk allocation is necessary for the encrypted mountpoint. Rather, the same amount of available disk space available to a normal home directory is available to the encrypted home directory. |
Line 27: | Line 36: |
This section should describe a plan of action (the "how") to implement the changes discussed. Could include subsections like: |
Launchpad Entry: https://blueprints.launchpad.net/ubuntu/+spec/encrypted-home-directory
Created: 2008-12-02
Contributors: DustinKirkland
Packages affected: adduser, ecryptfs-utils, gnome-system-tools, Graphical Installer(s), Alternate Installer
Summary
Based on the delivery of EncryptedPrivateDirectory in Ubuntu Intrepid, this specification describes the next steps to extend that work to provide a seamless mechanism for encrypting a user's entire home directory, mounting it on login, and un-mounting it on the last logout.
Release Note
The Ubuntu Jaunty Jackalope (9.04) release will enable per-user home directory encryption, automatically mounting it on login, and un-mounting it on the last logout of the user.
Rationale
The EncryptedPrivateDirectory work proved the usefulness and stability of the Linux kernel's ecryptfs cryptographic filesystem. Encrypting only ~/Private directory, however, requires Ubuntu users to consciously store sensitive data in that location, and manually linking that data to traditionally locations.
Use Cases
See the use cases for:
Encrypted home directories will provide a more complete solution to encrypting all of the user's unique data, while not requiring the performance penalty of encrypting all of the data on the entire system and not requiring a passphrase to boot an unattended system.
Assumptions
Design
The eCryptfs Linux kernel cryptographic filesystem was chosen as the implementation mechanism for several reasons:
This is the same technology developed and proven in the Intrepid release in the EncryptedPrivateDirectory specification.
- The underlying cryptographic data is encrypted on a per-file basis, and as such, it is possible to incrementally sync changes to the encrypted data to remote backup systems.
- Since it is an overlay virtual filesystem, no predetermined disk allocation is necessary for the encrypted mountpoint. Rather, the same amount of available disk space available to a normal home directory is available to the encrypted home directory.
Implementation
UI Changes
Should cover changes required to the UI, or specific UI that is required to implement this
Code Changes
Code changes should include an overview of what needs to change, and in some cases even the specific details.
Migration
Include:
- data migration, if any
- redirects from old URLs to new ones, if any
- how users will be pointed to the new way of doing things, if necessary.
Test/Demo Plan
As of 2008-12-02, you can test this by:
Install the adduser and ecryptfs-utils packages in the following PPA:
- Add a user with an encrypted home directory as root, with:
# adduser --encrypt-home testuser
Login as testuser on the console, through the GUI, and via ssh. Ensure that all programs work as expected. Log out of the console/GUI/ssh. Ensure that the home directory is not mounted and that the data stored in /home/testuser/.Private is encrypted.
Unresolved issues
There are two other specifications, solving related issues:
- Encrypting Swap Space
- GUI for eCryptfs
Discussion
Please post questions to:
EncryptedHomeDirectory (last edited 2009-04-07 21:12:29 by nat-stumcr)