Ubuntu Open Week - Encrypted Home Directories - DustinKirkland - Wed, Apr 29th, 2009
UTC -4
(01:02:07 PM) kirkland: Okay, everyone ... let's get started (01:02:29 PM) kirkland: so i will be demonstrating Encrypted Home Directories in Ubuntu Jaunty (01:03:01 PM) kirkland: it will be helpful if you're listening here in IRC, and also observing via a shared screen session to a server I'm hosting in Amazon's EC2 (01:03:19 PM) kirkland: to connect to that, please: ssh -C guest@ec2-174-129-109-134.compute-1.amazonaws.com (01:03:22 PM) kirkland: the password is "guest" (01:03:36 PM) mcsean left the room (quit: Remote closed the connection). (01:03:37 PM) kirkland: (the screen saver you see running is a fun little program in Universe called "cmatrix") (01:03:41 PM) kirkland: i'm going to kill that now :-) (01:03:55 PM) kirkland: alrighty! (01:04:08 PM) mcsean [n=mcsean@209.170.255.14] entered the room. (01:04:12 PM) kirkland: so i did one of these sessions 6 months ago after the Intrepid release, and introduced Encrypted Private Directories (01:04:16 PM) kirkland: which was new for Intrepid (01:04:36 PM) kirkland: basically, I created a very simple mechanism by which you could setup a single folder in your home directory, statically called "Private" (01:04:39 PM) kirkland: for encryption (01:04:46 PM) kirkland: when you'd login, this folder would be "mounted" (01:04:59 PM) kirkland: and you could read/write data to/from that folder like any other non-encrypted folder (01:05:15 PM) kirkland: but when you logged out, the contents of that folder was locked away in encryption (01:05:38 PM) kirkland: in the Intrepid timeframe, it was possible, though non-trivial, to move some key information into ~/Private (01:05:45 PM) kirkland: and symlink them back to their traditional locations (01:06:06 PM) kirkland: so, i moved stuff like .gnupg, .ssh, .firefox, .evolution, .xchat, and so on (01:06:09 PM) kirkland: into my ~/Private (01:06:16 PM) kirkland: and put symlinks where they "belonged" (01:06:20 PM) kirkland: this worked pretty well (01:06:27 PM) kirkland: i certainly so no performance degradation (01:06:42 PM) kirkland: and i could rest assured that *some* of my personal data was locked away in encryption (01:06:59 PM) kirkland: however, i had to be very conscious about moving importation information into ~/Private (01:07:23 PM) kirkland: so i spent about 8 hours on a plane flying to Paris, and hacked Encrypted Home Directories :-) (01:07:43 PM) kirkland: basically, making $HOME, rather than $HOME/Private to mount point for your "private" location (01:07:56 PM) kirkland: and, believe it or not, I think it works pretty well .... (01:08:12 PM) kirkland: there might be a few road bumps and a few usability issues that we're improving for Karmic (01:08:20 PM) kirkland: but I'm trusting all of my $HOME data to it (01:08:28 PM) kirkland: I like this for a few reasons ... (01:08:42 PM) kirkland: now, there's certainly a place for full disk (LVM) encryption (01:08:54 PM) kirkland: but there are a few drawbacks (01:09:23 PM) kirkland: namely, 1) a password is required just to "boot" your system, which kinda negates some of the hard work we've done to get Jaunty's boot performance improvements (01:09:47 PM) kirkland: 2) the whole disk is encrypted, even stuff that doesn't need to be encrypted, like /lib and /usr/bin, and so on (01:10:03 PM) kirkland: 3) it's impossible to incrementally sync (backup) the actual encrypted data (01:10:24 PM) kirkland: these are 3 things that we can actually solve with encrypted home directories using eCryptfs in Ubuntu Jaunty (01:10:28 PM) kirkland: okay so .... (01:10:40 PM) kirkland: there are basically 3 ways to setup an encrypted home directory ... (01:10:46 PM) kirkland: 1) from the alternate/server installer (01:11:07 PM) kirkland: if you use this, you are considered an "advanced" user, and you will get a prompt, asking you if you want to encrypt your home directory\ (01:11:16 PM) kirkland: http://1.bp.blogspot.com/_-mej0A6dVeU/SahvvshQ09I/AAAAAAAAAN0/Q3HM5sSKbb4/s1600-h/server.png (01:11:22 PM) kirkland: that's a screen shot of that question (01:11:35 PM) kirkland: 2) if you're using the desktop installer, you need to give a special pre-seed value (01:11:51 PM) kirkland: basically, in the bootloader of the liveCD, you hit F6, and add an option to the kernel boot line (01:11:59 PM) kirkland: http://3.bp.blogspot.com/_-mej0A6dVeU/Sahw4ryafQI/AAAAAAAAAOE/q2e-nmYWi_A/s1600-h/installer.png (01:12:06 PM) kirkland: Add "user-setup/encrypt-home=true" just before the "--". (01:12:26 PM) kirkland: if you do this, you will reveal an additional radio button on the user creation page of the graphical installer (01:12:36 PM) kirkland: http://2.bp.blogspot.com/_-mej0A6dVeU/Sahv4yrc2QI/AAAAAAAAAN8/s2J-fJ7Ne7w/s1600-h/desktop.png (01:12:47 PM) kirkland: for more information about this, please see: http://blog.dustinkirkland.com/2009/02/jaunty-encrypted-home-directories.html (01:13:01 PM) kirkland: now, i'm sure everyone here has already installed jaunty! (01:13:20 PM) kirkland: so 3) adding a user to an installed system (01:13:24 PM) kirkland: now for the demo ... (01:13:47 PM) kirkland: okay, looking over at our ssh session, i'm going to create a new user, and specify that their home is to be encrypted (01:13:57 PM) kirkland: actually, first, i'm going to install ecryptfs (01:14:16 PM) kirkland: ecryptfs-utils is now installed (01:14:32 PM) kirkland: sudo adduser --encrypt-home foo1 (01:14:47 PM) kirkland: YOU SHOULD RECORD THIS MOUNT PASSPHRASE AND STORE IN A SAFE LOCATION: (01:14:47 PM) kirkland: 21a723343815414dcd74842704d2eb18 (01:14:47 PM) kirkland: THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME. (01:14:52 PM) kirkland: this is a very important point .... (01:15:17 PM) kirkland: any time you're using Ubuntu's Encrypted Private or Encrypted Home feature, it is absolutely critical that you write down the rrandomly generated passphrase (01:15:32 PM) kirkland: if you need to restore your data from backups later, you *must* have this password (01:15:45 PM) kirkland: this is a rather strong, 128bit random string (01:15:49 PM) kirkland: very difficult to guess! (01:15:58 PM) kirkland: okay, now i'm going to set a passphrase for foo1 (01:16:03 PM) kirkland: this is the system login passphrase (01:16:17 PM) kirkland: okay, foo1 is created (01:16:24 PM) kirkland: let's nose around a little ... (01:16:40 PM) kirkland: note that as user "ubuntu" i can't see into their homedir (01:16:54 PM) kirkland: this is because dr-x------ 3 foo1 foo1 4096 2009-04-29 17:13 foo1/ (01:17:02 PM) kirkland: this home dir is 500 perm'd by default (01:17:08 PM) kirkland: such that even foo1 can't write into it (01:17:22 PM) kirkland: that's to protect them from inadvertently writing data into their unencrypted mountpoint (01:18:00 PM) kirkland: okay, so now I can sudo and look in foo1's home dir (01:18:10 PM) kirkland: i see a couple of symlinks, and a README.txt (01:18:25 PM) kirkland: i'm going to now, as root, look through foo1's homedir (01:18:50 PM) kirkland: as you can see from the README, it's explaining that this dir is not mounted (01:19:03 PM) kirkland: the actual encrypted data actually lives in .Private (01:19:18 PM) kirkland: and as you can see here, the filenames themselves are obfuscated (01:19:34 PM) kirkland: if i try to look at the contents of one of these files, we should only see encrypted garbage (01:19:41 PM) kirkland: bingo (01:19:51 PM) kirkland: okay, now, let's login as foo1 (01:20:11 PM) kirkland: alright, i'm now logged in as foo1 (01:20:21 PM) kirkland: (at this point, you can pretend you're in a gnome or kde session) (01:20:25 PM) kirkland: (the magic is the same) (01:20:46 PM) kirkland: (your logging in through gdm/kdm would have performed the same operations, which i'll explain in detail if we have time) (01:21:01 PM) kirkland: now, as foo1, i can see my filenames :-) (01:21:16 PM) kirkland: and I can read my configuration files (01:21:31 PM) kirkland: let's take a look at the mountpoint itself (01:21:40 PM) kirkland: /home/foo1/.Private on /home/foo1 type ecryptfs (ecryptfs_sig=3c9d14d7ce3af0d0,ecryptfs_fnek_sig=55e8342f969450c1,ecryptfs_cipher=aes,ecryptfs_key_bytes=16) (01:21:46 PM) kirkland: these are the details of the ecryptfs mount (01:22:01 PM) kirkland: note that I can't see my encrypted .Private directory at this point (01:22:04 PM) kirkland: let's check that out (01:22:13 PM) kirkland: to do this, i'm going to have to unmount my homedir (01:22:19 PM) kirkland: which is going to render it read-only (01:22:28 PM) kirkland: in practice YOU SHOULD BE VERY CAREFUL DOING THIS (01:22:39 PM) kirkland: ie, do it at a command prompt, when nothing else is running as your user (01:23:04 PM) kirkland: okay, now, we're in the unencrypted mountpoint, as foo1 (01:23:14 PM) kirkland: and again, i can get to my private data (01:23:21 PM) kirkland: for backup purposes (01:23:39 PM) kirkland: i, for one, make nightly copies of my encrypted data, using rsync, to my co-lo server (01:23:57 PM) kirkland: as you can see I can't write anything in this dir (01:24:15 PM) kirkland: but if I look at the README.txt, i can get some instructions on how to re-establish my mount (01:24:28 PM) kirkland: now i'm prompted to enter my login passphrase (01:24:43 PM) kirkland: and $HOME is mounted again! (01:25:09 PM) kirkland: okay, i'm going to pause for a minute and field a few questions (01:25:17 PM) kirkland: jcastro: are you around? would you mind serving them up? (01:25:27 PM) jcastro: sure (01:25:42 PM) jcastro: <JFo> QUESTION: Is it possible to do this with remote home dirs? (01:25:58 PM) kirkland: JFo: please clarify "remote" (01:26:09 PM) kirkland: JFo: you mean on an NFS or Samba share? (01:26:16 PM) mhlavink is now known as mhlavink_away (01:26:17 PM) JFo: yes (01:26:23 PM) kirkland: JFo: how I wish :-) (01:26:26 PM) JFo: heh (01:26:29 PM) JFo: I was afraid of that (01:26:29 PM) kirkland: tyhicks is working on this (01:26:39 PM) kirkland: JFo: it's a long, and well understood bug in the kernel (01:26:49 PM) kirkland: JFo: we're *really* hoping to have this fixed for Karmic (01:26:58 PM) kirkland: JFo: that one has been a dream of mine for a long time ;-) (01:27:04 PM) JFo: I bet (01:27:06 PM) kirkland: jcastro: any others? (01:27:09 PM) jcastro: <rufong> QUESTION: law enforcement myth or reality/ anything on a hdd is recoverable? (01:27:34 PM) jcastro: we have a few more questions so just say "next" when you want the next one (01:27:36 PM) kirkland: rufong: interesting question, really (01:27:59 PM) kirkland: rufong: http://citp.princeton.edu/memory/ (01:28:27 PM) kirkland: rufong: from that princeton university study, they show that RAM contents can be gather up to a few minutes after powering a system off (01:29:01 PM) kirkland: rufong: so if law enforcement (or your attacker) can get to your ram contents, they could possibly find your keys (01:29:20 PM) kirkland: and render any form of encryption (even LVM, Truecrypt, BitKeeper, etc) useless (01:29:29 PM) kirkland: however, i stand behind the design of eCryptfs (01:29:38 PM) kirkland: and in particular the design of Ubuntu's Encrypted Home (01:29:42 PM) kirkland: and Encrypted Private (01:30:00 PM) kirkland: i think it'll stand up to most attackers (01:30:11 PM) kirkland: a well funded attacker is a different story (01:30:23 PM) kirkland: ie, someone with infinite time and computing resources (01:30:28 PM) hansblix_ is now known as hansblix (01:30:42 PM) kirkland: but the guy on the train who steals your netbook so he can off it to a pawn shop ... (01:30:55 PM) kirkland: he might spend a few minutes looking for credit card numbers, or other personal info (01:31:14 PM) kirkland: not seeing that, chances are very likely that he'll move on, wipe the drive (01:31:19 PM) kirkland: jcastro: any others? (01:31:23 PM) jcastro: <Fabu> QUESTION: which encryption algorithms are supported by ecryptfs and how can i change the one used? (01:31:29 PM) kirkland: jcastro: actually, back to that last one ... (01:31:39 PM) kirkland: so back to the law enforcement question ... (01:31:53 PM) kirkland: i've made it pretty clear on my blog and in my documentation (01:32:11 PM) kirkland: if the user has access to your "wrapped-passphrase file" (more on that in a minute) (01:32:21 PM) kirkland: they can then attack that file with your system login passphrase (01:32:36 PM) kirkland: and if they have your /etc/shadow, they can attack your system login passphrase that way too (01:32:47 PM) kirkland: so IT'S IMPERATIVE to have a good system login passphrase (01:32:53 PM) kirkland: keep that safe, and secret (01:33:25 PM) kirkland: as for your wrapped passphrase, I'm going to show you a really cool technique to make your system more secure (01:33:47 PM) kirkland: Fabu: eCryptfs supports all of the algortihms supported by the Linux Kernel (01:34:05 PM) kirkland: Fabu: that said, for Ubuntu's Encrypted Private and Encrypted Home, we have hard coded that to AES (01:34:09 PM) kirkland: this is for support reasons (01:34:26 PM) kirkland: i needed to constrain the system a bit, to a realistic set of variables (01:34:41 PM) kirkland: varying on the cipher was not something i wanted to do (at least initially) (01:34:55 PM) kirkland: if you know and understand how to construct eCryptfs mount options yourself, however ... (01:35:05 PM) kirkland: ... you can choose a different cypher (01:35:05 PM) Pollywog: oh I arrived late :( (01:35:22 PM) kirkland: /home/foo1/.Private on /home/foo1 type ecryptfs (ecryptfs_sig=3c9d14d7ce3af0d0,ecryptfs_fnek_sig=55e8342f969450c1,ecryptfs_cipher=aes,ecryptfs_key_bytes=16) (01:35:30 PM) kirkland: ecryptfs_cipher=aes (01:35:41 PM) kirkland: that's one of the options eCryptfs accepts (01:35:58 PM) kirkland: you could add your own custom /etc/fstab entries and such (01:36:17 PM) kirkland: however, you will be in a configuration that I won't be able to support you as Ubuntu's eCryptfs maintainer (01:36:23 PM) kirkland: good luck ;-) (01:36:28 PM) kirkland: jcastro: any others? (01:36:31 PM) jcastro: <shadowland> QUESTION: Mac OS X dumps everything in one enormous .dmg encrypted. Is Jaunty storing each file separately encrypted? (01:36:43 PM) jcastro: <shadowland> The one big image is scary because if it gets corrupted, all the data inside is toast (01:37:11 PM) kirkland: shadowland: yes! that is the fundamental design of eCryptfs (01:37:17 PM) kirkland: shadowland: and I *love* that aspect (01:37:21 PM) kirkland: shadowland: quick annecdote ... (01:37:46 PM) kirkland: shadowland: I used to tar and gpg my whole homedir on a monthly basis, and burn that 4GB file to a DVD (01:37:55 PM) kirkland: shadowland: one time i actually wanted to restore it (01:38:17 PM) kirkland: shadowland: well, dvd media being what it is (crap), there was some (perhaps tiny) bit of that gpg file that was corrupted (01:38:25 PM) kirkland: thus, that backup wasn't worth anything! (01:38:36 PM) Pollywog: I have a question that might have already been asked... how do I login to my system from a laptop (ssh) if I am not logged in at the remote system. Is there a better way than that of putting my ssh keys in /etc/.ssh/ ? If this has already been answered, I will check the conference logs later (01:38:37 PM) kirkland: same goes for a single file in Mac OS X (01:38:53 PM) kirkland: Pollywog: please ask in #ubuntu-classroom-chat, and wait your turn (01:38:57 PM) Pollywog: k (01:39:08 PM) kirkland: shadowland: there's one other tremendous advantage (01:39:16 PM) kirkland: shadowland: and that's back to the incremental backups (01:39:33 PM) kirkland: shadowland: i can do something like rsync $HOME/.Private/ root@remote:/backup/ (01:39:43 PM) kirkland: and sync only the files that changed (01:39:55 PM) kirkland: which is far more reasonable than trying to rsync a multi-GB file (01:40:17 PM) kirkland: so on to the backups questions ... (01:40:31 PM) kirkland: there are a few improvements we're trying to make in this area in the Karmic timeframe (01:40:40 PM) kirkland: however, my backup script for now looks something like this: (01:40:56 PM) kirkland: umount.ecryptfs_private && cd && mount.ecryptfs_private (01:41:09 PM) kirkland: that one liner unmounts, cd's to my $HOME, and mounts, very quickly (01:41:21 PM) kirkland: the net is that my script is now in the unmounted homedir (01:41:34 PM) kirkland: at this point, I can rsync -aP .Private/ <offsite> (01:42:03 PM) kirkland: jcastro: next? (01:42:42 PM) jcastro: <shadowland> QUESTION: How is the backup affected if a user has open files when the backup runs? Are the backed up files usable if restored later? (01:42:59 PM) kirkland: jcastro: maybe, maybe not (01:43:12 PM) kirkland: jcastro: all depends on how your underlying filesystem works, what's sync'd, etc. (01:43:28 PM) kirkland: shadowland: ideally, you'd run your backups when other things aren't running (01:43:38 PM) kirkland: shadowland: i expect we might have a little more work to do in this arena (01:43:47 PM) kirkland: tyhicks is our kernel expert from IBM ;-) (01:43:58 PM) kirkland: <Fabu> QUESTION: I'm currently using Truecrypt for encrypting a 1TB hdd, should i switch to ecryptfs? If yes why (most important would be performance issues)? (01:44:10 PM) kirkland: Fabu: well, i can't be objective on this one :-) (01:44:19 PM) kirkland: i prefer eCryptfs, but I'm the maintainer :-) (01:44:40 PM) kirkland: if you're happy with Trucrypt, it does everything you want, I don't suppose there's a compelling reason to change (01:45:08 PM) kirkland: however, the last time i looked at truecrypt, there were some serious licensing concerns (01:45:15 PM) kirkland: that was keeping it from making it into fedora and ubuntu (01:45:21 PM) kirkland: (ecryptfs is gplv2) (01:45:35 PM) kirkland: <mcsean> QUESTION: can you show us how you'd encrypt a specific dir or mount (not just a home dir)? (01:45:39 PM) kirkland: mcsean: good question (01:45:47 PM) kirkland: mcsean: let's go back over to our demo environment (01:45:53 PM) kirkland: i'm going to create a new user, foo2 (01:45:57 PM) kirkland: who doesn't have an encrypted home dir (01:46:14 PM) kirkland: and show you how foo2 would create an encrypted private (01:46:27 PM) kirkland: this is mostly what we did in Intrepid, but it's still a useful feature in Jaunty (01:46:37 PM) kirkland: especially if you use Gnome's auto-login feature (01:46:47 PM) kirkland: but you want to protect some subset of your home directory (01:47:03 PM) kirkland: (note that encrypted-home and auto-login are TOTALLY incompatible for hopefully obvious reasons!) (01:47:22 PM) kirkland: okay foo2 created, no encrypted home (01:47:31 PM) kirkland: loggin in as foo2 (01:47:40 PM) kirkland: no encrypted home mount (01:47:58 PM) kirkland: okay, running ecryptfs-setup-private to create my Private dir (01:48:11 PM) kirkland: entering my login passphrase (01:48:16 PM) kirkland: now, i have a choice ... (01:48:24 PM) kirkland: i can choose to select my mount passphrase (01:48:28 PM) kirkland: or randomly generate it (01:48:33 PM) kirkland: i *always* randomly generate it (01:48:37 PM) kirkland: as this is more secure (01:48:44 PM) kirkland: but i *must* remember to write it down (01:48:52 PM) kirkland: cool, it's setup now (01:49:03 PM) kirkland: okay, so i need to logout and log back in for it to take effect (01:49:18 PM) kirkland: and now, i can see Private mounted (01:49:20 PM) kirkland: \o/ (01:49:25 PM) kirkland: let's put some data in there (01:49:47 PM) kirkland: cooll, so i have data in there now (01:49:56 PM) kirkland: let's unmount it and see (01:50:10 PM) kirkland: not mounted, good (01:50:14 PM) kirkland: let's check the encrypted data (01:50:27 PM) kirkland: encrypted filenames, encrypted file contents (01:50:31 PM) kirkland: sweet (01:51:36 PM) kirkland: mcsean: i'll show you one more thing ... (01:51:54 PM) kirkland: as an admin, i can do lots of other things with ecryptfs (01:52:00 PM) kirkland: arbitrary mountpoints and such (01:52:07 PM) kirkland: again, back to our screen session, let's see this (01:52:39 PM) kirkland: sudo mount -t ecryptfs /tmp/encrypted/ /tmp/decrypted/ (01:52:46 PM) kirkland: i should get a list of interactive questions (01:52:53 PM) kirkland: first, a passphrase for this mount (01:53:02 PM) kirkland: next, the cipher i want (01:53:12 PM) kirkland: (didn't someone ask about what ciphers are supported?) (01:53:18 PM) kirkland: Select cipher: (01:53:18 PM) kirkland: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) (01:53:18 PM) kirkland: 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) (01:53:18 PM) kirkland: 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) (01:53:20 PM) kirkland: 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) (01:53:20 PM) kirkland: 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) (01:53:23 PM) Fabu: yes me thanks :) (01:53:23 PM) kirkland: 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) (01:53:53 PM) kirkland: /tmp/encrypted on /tmp/decrypted type ecryptfs (rw,ecryptfs_sig=c7fed37c0a341e19,ecryptfs_cipher=blowfish,ecryptfs_key_bytes=16,ecryptfs_fnek_sig=c7fed37c0a341e19,ecryptfs_unlink_sigs) (01:53:55 PM) kirkland: voila (01:53:59 PM) kirkland: arbitrary ecryptfs mount (01:54:10 PM) kirkland: you'd want to save this off, or put it into /etc/fstab if you want to use it more (01:54:17 PM) kirkland: okay, now I want to get to one more important point (01:54:37 PM) kirkland: this is related to: <stesind> QUESTION: could you pls show how to store the passphrase on a usb stick? (01:55:05 PM) kirkland: so i mentioned that you could make it much harder on your attacker, if they didn't have your system password and your wrapped-passphrase (01:55:11 PM) kirkland: here's a bit about what's going on ... (01:55:15 PM) kirkland: when you login via PAM (01:55:25 PM) kirkland: you give a system password, like 'abc123' (01:55:37 PM) jcastro: 5 minute warning! (01:55:43 PM) kirkland: this is used to "unwrap" or decrypt your wrapped-passphrase (01:55:53 PM) kirkland: this file is stored in $HOME/.ecryptfs/wrapped-passphrase (01:56:08 PM) kirkland: which is *actually* in /var/lib/ecryptfs/$USER/wrapped-passphrase (01:56:14 PM) kirkland: let's go take a look in our demo window (01:56:27 PM) kirkland: first, let's unwrap it and see ... (01:57:03 PM) kirkland: so our "simple" abc123 passphrase decrypts our random, hard mount passphrase 21a723343815414dcd74842704d2eb18 (01:57:31 PM) kirkland: so what i've done on my system is I've litterally "moved" my wrapped-passphrase file to usb storage (01:58:27 PM) kirkland: (see the window for the demo) (01:58:41 PM) Pollywog: QUESTION: is there a way to generate a new passphrase in case I failed to record it when I installed Ubuntu? (01:58:52 PM) Pollywog: oops sorry (01:59:44 PM) kirkland: so i now have a pretend usb stick in /tmp (01:59:53 PM) kirkland: (put it on a real one, and add it to your /etc/fstab) (02:00:02 PM) stesind: :) (02:00:05 PM) kirkland: i moved my wrapped-passphrase file to something perhaps less obvious, ".trash" (02:00:11 PM) kirkland: and put a symlink in place (02:00:18 PM) kirkland: now, i have to have that in place to login to the system (02:00:29 PM) kirkland: so i logged in successfully (02:00:33 PM) kirkland: now, i'm going to remove it (02:00:38 PM) kirkland: (pretend, remove usb key) (02:01:34 PM) kirkland: okay, i did that out of order (02:01:39 PM) kirkland: but there we go ... (02:01:43 PM) kirkland: home dir data not available (02:01:47 PM) kirkland: okay, i'm done! (02:01:54 PM) jcastro: whew! (02:01:54 PM) kirkland: ask more questions in -chat, i'll try to answer