EncryptHome

Ubuntu Open Week - Encrypted Home Directories - DustinKirkland - Wed, Apr 29th, 2009

UTC -4

(01:02:07 PM) kirkland: Okay, everyone ... let's get started
(01:02:29 PM) kirkland: so i will be demonstrating Encrypted Home Directories in Ubuntu Jaunty
(01:03:01 PM) kirkland: it will be helpful if you're listening here in IRC, and also observing via a shared screen session to a server I'm hosting in Amazon's EC2
(01:03:19 PM) kirkland: to connect to that, please: ssh -C guest@ec2-174-129-109-134.compute-1.amazonaws.com
(01:03:22 PM) kirkland: the password is "guest"
(01:03:36 PM) mcsean left the room (quit: Remote closed the connection).
(01:03:37 PM) kirkland: (the screen saver you see running is a fun little program in Universe called "cmatrix")
(01:03:41 PM) kirkland: i'm going to kill that now :-)
(01:03:55 PM) kirkland: alrighty!
(01:04:08 PM) mcsean [n=mcsean@209.170.255.14] entered the room.
(01:04:12 PM) kirkland: so i did one of these sessions 6 months ago after the Intrepid release, and introduced Encrypted Private Directories
(01:04:16 PM) kirkland: which was new for Intrepid
(01:04:36 PM) kirkland: basically, I created a very simple mechanism by which you could setup a single folder in your home directory, statically called "Private"
(01:04:39 PM) kirkland: for encryption
(01:04:46 PM) kirkland: when you'd login, this folder would be "mounted"
(01:04:59 PM) kirkland: and you could read/write data to/from that folder like any other non-encrypted folder
(01:05:15 PM) kirkland: but when you logged out, the contents of that folder was locked away in encryption
(01:05:38 PM) kirkland: in the Intrepid timeframe, it was possible, though non-trivial, to move some key information into ~/Private
(01:05:45 PM) kirkland: and symlink them back to their traditional locations
(01:06:06 PM) kirkland: so, i moved stuff like .gnupg, .ssh, .firefox, .evolution, .xchat, and so on
(01:06:09 PM) kirkland: into my ~/Private
(01:06:16 PM) kirkland: and put symlinks where they "belonged"
(01:06:20 PM) kirkland: this worked pretty well
(01:06:27 PM) kirkland: i certainly so no performance degradation
(01:06:42 PM) kirkland: and i could rest assured that *some* of my personal data was locked away in encryption
(01:06:59 PM) kirkland: however, i had to be very conscious about moving importation information into ~/Private
(01:07:23 PM) kirkland: so i spent about 8 hours on a plane flying to Paris, and hacked Encrypted Home Directories :-)
(01:07:43 PM) kirkland: basically, making $HOME, rather than $HOME/Private to mount point for your "private" location
(01:07:56 PM) kirkland: and, believe it or not, I think it works pretty well ....
(01:08:12 PM) kirkland: there might be a few road bumps and a few usability issues that we're improving for Karmic
(01:08:20 PM) kirkland: but I'm trusting all of my $HOME data to it
(01:08:28 PM) kirkland: I like this for a few reasons ...
(01:08:42 PM) kirkland: now, there's certainly a place for full disk (LVM) encryption
(01:08:54 PM) kirkland: but there are a few drawbacks
(01:09:23 PM) kirkland: namely, 1) a password is required just to "boot" your system, which kinda negates some of the hard work we've done to get Jaunty's boot performance improvements
(01:09:47 PM) kirkland: 2) the whole disk is encrypted, even stuff that doesn't need to be encrypted, like /lib and /usr/bin, and so on
(01:10:03 PM) kirkland: 3) it's impossible to incrementally sync (backup) the actual encrypted data
(01:10:24 PM) kirkland: these are 3 things that we can actually solve with encrypted home directories using eCryptfs in Ubuntu Jaunty
(01:10:28 PM) kirkland: okay so ....
(01:10:40 PM) kirkland: there are basically 3 ways to setup an encrypted home directory ...
(01:10:46 PM) kirkland: 1) from the alternate/server installer
(01:11:07 PM) kirkland: if you use this, you are considered an "advanced" user, and you will get a prompt, asking you if you want to encrypt your home directory\
(01:11:16 PM) kirkland: http://1.bp.blogspot.com/_-mej0A6dVeU/SahvvshQ09I/AAAAAAAAAN0/Q3HM5sSKbb4/s1600-h/server.png
(01:11:22 PM) kirkland: that's a screen shot of that question
(01:11:35 PM) kirkland: 2) if you're using the desktop installer, you need to give a special pre-seed value
(01:11:51 PM) kirkland: basically, in the bootloader of the liveCD, you hit F6, and add an option to the kernel boot line
(01:11:59 PM) kirkland: http://3.bp.blogspot.com/_-mej0A6dVeU/Sahw4ryafQI/AAAAAAAAAOE/q2e-nmYWi_A/s1600-h/installer.png
(01:12:06 PM) kirkland: Add "user-setup/encrypt-home=true" just before the "--".
(01:12:26 PM) kirkland: if you do this, you will reveal an additional radio button on the user creation page of the graphical installer
(01:12:36 PM) kirkland: http://2.bp.blogspot.com/_-mej0A6dVeU/Sahv4yrc2QI/AAAAAAAAAN8/s2J-fJ7Ne7w/s1600-h/desktop.png
(01:12:47 PM) kirkland: for more information about this, please see: http://blog.dustinkirkland.com/2009/02/jaunty-encrypted-home-directories.html
(01:13:01 PM) kirkland: now, i'm sure everyone here has already installed jaunty!
(01:13:20 PM) kirkland: so 3) adding a user to an installed system
(01:13:24 PM) kirkland: now for the demo ...
(01:13:47 PM) kirkland: okay, looking over at our ssh session, i'm going to create a new user, and specify that their home is to be encrypted
(01:13:57 PM) kirkland: actually, first, i'm going to install ecryptfs
(01:14:16 PM) kirkland: ecryptfs-utils is now installed
(01:14:32 PM) kirkland: sudo adduser --encrypt-home foo1
(01:14:47 PM) kirkland: YOU SHOULD RECORD THIS MOUNT PASSPHRASE AND STORE IN A SAFE LOCATION:
(01:14:47 PM) kirkland: 21a723343815414dcd74842704d2eb18
(01:14:47 PM) kirkland: THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
(01:14:52 PM) kirkland: this is a very important point ....
(01:15:17 PM) kirkland: any time you're using Ubuntu's Encrypted Private or Encrypted Home feature, it is absolutely critical that you write down the rrandomly generated passphrase
(01:15:32 PM) kirkland: if you need to restore your data from backups later, you *must* have this password
(01:15:45 PM) kirkland: this is a rather strong, 128bit random string
(01:15:49 PM) kirkland: very difficult to guess!
(01:15:58 PM) kirkland: okay, now i'm going to set a passphrase for foo1
(01:16:03 PM) kirkland: this is the system login passphrase
(01:16:17 PM) kirkland: okay, foo1 is created
(01:16:24 PM) kirkland: let's nose around a little ...
(01:16:40 PM) kirkland: note that as user "ubuntu" i can't see into their homedir
(01:16:54 PM) kirkland: this is because dr-x------  3 foo1   foo1   4096 2009-04-29 17:13 foo1/
(01:17:02 PM) kirkland: this home dir is 500 perm'd by default
(01:17:08 PM) kirkland: such that even foo1 can't write into it
(01:17:22 PM) kirkland: that's to protect them from inadvertently writing data into their unencrypted mountpoint
(01:18:00 PM) kirkland: okay, so now I can sudo and look in foo1's home dir
(01:18:10 PM) kirkland: i see a couple of symlinks, and a README.txt
(01:18:25 PM) kirkland: i'm going to now, as root, look through foo1's homedir
(01:18:50 PM) kirkland: as you can see from the README, it's explaining that this dir is not mounted
(01:19:03 PM) kirkland: the actual encrypted data actually lives in .Private
(01:19:18 PM) kirkland: and as you can see here, the filenames themselves are obfuscated
(01:19:34 PM) kirkland: if i try to look at the contents of one of these files, we should only see encrypted garbage
(01:19:41 PM) kirkland: bingo
(01:19:51 PM) kirkland: okay, now, let's login as foo1
(01:20:11 PM) kirkland: alright, i'm now logged in as foo1
(01:20:21 PM) kirkland: (at this point, you can pretend you're in a gnome or kde session)
(01:20:25 PM) kirkland: (the magic is the same)
(01:20:46 PM) kirkland: (your logging in through gdm/kdm would have performed the same operations, which i'll explain in detail if we have time)
(01:21:01 PM) kirkland: now, as foo1, i can see my filenames :-)
(01:21:16 PM) kirkland: and I can read my configuration files
(01:21:31 PM) kirkland: let's take a look at the mountpoint itself
(01:21:40 PM) kirkland: /home/foo1/.Private on /home/foo1 type ecryptfs (ecryptfs_sig=3c9d14d7ce3af0d0,ecryptfs_fnek_sig=55e8342f969450c1,ecryptfs_cipher=aes,ecryptfs_key_bytes=16)
(01:21:46 PM) kirkland: these are the details of the ecryptfs mount
(01:22:01 PM) kirkland: note that I can't see my encrypted .Private directory at this point
(01:22:04 PM) kirkland: let's check that out
(01:22:13 PM) kirkland: to do this, i'm going to have to unmount my homedir
(01:22:19 PM) kirkland: which is going to render it read-only
(01:22:28 PM) kirkland: in practice YOU SHOULD BE VERY CAREFUL DOING THIS
(01:22:39 PM) kirkland: ie, do it at a command prompt, when nothing else is running as your user
(01:23:04 PM) kirkland: okay, now, we're in the unencrypted mountpoint, as foo1
(01:23:14 PM) kirkland: and again, i can get to my private data
(01:23:21 PM) kirkland: for backup purposes
(01:23:39 PM) kirkland: i, for one, make nightly copies of my encrypted data, using rsync, to my co-lo server
(01:23:57 PM) kirkland: as you can see I can't write anything in this dir
(01:24:15 PM) kirkland: but if I look at the README.txt, i can get some instructions on how to re-establish my mount
(01:24:28 PM) kirkland: now i'm prompted to enter my login passphrase
(01:24:43 PM) kirkland: and $HOME is mounted again!
(01:25:09 PM) kirkland: okay, i'm going to pause for a minute and field a few questions
(01:25:17 PM) kirkland: jcastro: are you around?  would you mind serving them up?
(01:25:27 PM) jcastro: sure
(01:25:42 PM) jcastro: <JFo> QUESTION: Is it possible to do this with remote home dirs?
(01:25:58 PM) kirkland: JFo: please clarify "remote"
(01:26:09 PM) kirkland: JFo: you mean on an NFS or Samba share?
(01:26:16 PM) mhlavink is now known as mhlavink_away
(01:26:17 PM) JFo: yes
(01:26:23 PM) kirkland: JFo: how I wish :-)
(01:26:26 PM) JFo: heh
(01:26:29 PM) JFo: I was afraid of that
(01:26:29 PM) kirkland: tyhicks is working on this
(01:26:39 PM) kirkland: JFo: it's a long, and well understood bug in the kernel
(01:26:49 PM) kirkland: JFo: we're *really* hoping to have this fixed for Karmic
(01:26:58 PM) kirkland: JFo: that one has been a dream of mine for a long time ;-)
(01:27:04 PM) JFo: I bet
(01:27:06 PM) kirkland: jcastro: any others?
(01:27:09 PM) jcastro: <rufong> QUESTION: law enforcement myth or reality/ anything on a hdd is recoverable?
(01:27:34 PM) jcastro: we have a few more questions so just say "next" when you want the next one
(01:27:36 PM) kirkland: rufong: interesting question, really
(01:27:59 PM) kirkland: rufong: http://citp.princeton.edu/memory/
(01:28:27 PM) kirkland: rufong: from that princeton university study, they show that RAM contents can be gather up to a few minutes after powering a system off
(01:29:01 PM) kirkland: rufong: so if law enforcement (or your attacker) can get to your ram contents, they could possibly find your keys
(01:29:20 PM) kirkland: and render any form of encryption (even LVM, Truecrypt, BitKeeper, etc) useless
(01:29:29 PM) kirkland: however, i stand behind the design of eCryptfs
(01:29:38 PM) kirkland: and in particular the design of Ubuntu's Encrypted Home
(01:29:42 PM) kirkland: and Encrypted Private
(01:30:00 PM) kirkland: i think it'll stand up to most attackers
(01:30:11 PM) kirkland: a well funded attacker is a different story
(01:30:23 PM) kirkland: ie, someone with infinite time and computing resources
(01:30:28 PM) hansblix_ is now known as hansblix
(01:30:42 PM) kirkland: but the guy on the train who steals your netbook so he can off it to a pawn shop ...
(01:30:55 PM) kirkland: he might spend a few minutes looking for credit card numbers, or other personal info
(01:31:14 PM) kirkland: not seeing that, chances are very likely that he'll move on, wipe the drive
(01:31:19 PM) kirkland: jcastro: any others?
(01:31:23 PM) jcastro: <Fabu> QUESTION: which encryption algorithms are supported by ecryptfs and how can i change the one used?
(01:31:29 PM) kirkland: jcastro: actually, back to that last one ...
(01:31:39 PM) kirkland: so back to the law enforcement question ...
(01:31:53 PM) kirkland: i've made it pretty clear on my blog and in my documentation
(01:32:11 PM) kirkland: if the user has access to your "wrapped-passphrase file" (more on that in a minute)
(01:32:21 PM) kirkland: they can then attack that file with your system login passphrase
(01:32:36 PM) kirkland: and if they have your /etc/shadow, they can attack your system login passphrase that way too
(01:32:47 PM) kirkland: so IT'S IMPERATIVE to have a good system login passphrase
(01:32:53 PM) kirkland: keep that safe, and secret
(01:33:25 PM) kirkland: as for your wrapped passphrase, I'm going to show you a really cool technique to make your system more secure
(01:33:47 PM) kirkland: Fabu: eCryptfs supports all of the algortihms supported by the Linux Kernel
(01:34:05 PM) kirkland: Fabu: that said, for Ubuntu's Encrypted Private and Encrypted Home, we have hard coded that to AES
(01:34:09 PM) kirkland: this is for support reasons
(01:34:26 PM) kirkland: i needed to constrain the system a bit, to a realistic set of variables
(01:34:41 PM) kirkland: varying on the cipher was not something i wanted to do (at least initially)
(01:34:55 PM) kirkland: if you know and understand how to construct eCryptfs mount options yourself, however ...
(01:35:05 PM) kirkland:  ... you can choose a different cypher
(01:35:05 PM) Pollywog: oh I arrived late  :(
(01:35:22 PM) kirkland: /home/foo1/.Private on /home/foo1 type ecryptfs (ecryptfs_sig=3c9d14d7ce3af0d0,ecryptfs_fnek_sig=55e8342f969450c1,ecryptfs_cipher=aes,ecryptfs_key_bytes=16)
(01:35:30 PM) kirkland: ecryptfs_cipher=aes
(01:35:41 PM) kirkland: that's one of the options eCryptfs accepts
(01:35:58 PM) kirkland: you could add your own custom /etc/fstab entries and such
(01:36:17 PM) kirkland: however, you will be in a configuration that I won't be able to support you as Ubuntu's eCryptfs maintainer
(01:36:23 PM) kirkland: good luck ;-)
(01:36:28 PM) kirkland: jcastro: any others?
(01:36:31 PM) jcastro: <shadowland> QUESTION: Mac OS X dumps everything in one enormous .dmg encrypted.  Is Jaunty storing each file separately encrypted?
(01:36:43 PM) jcastro: <shadowland> The one big image is scary because if it gets corrupted, all the data inside is toast
(01:37:11 PM) kirkland: shadowland: yes!  that is the fundamental design of eCryptfs
(01:37:17 PM) kirkland: shadowland: and I *love* that aspect
(01:37:21 PM) kirkland: shadowland: quick annecdote ...
(01:37:46 PM) kirkland: shadowland: I used to tar and gpg my whole homedir on a monthly basis, and burn that 4GB file to a DVD
(01:37:55 PM) kirkland: shadowland: one time i actually wanted to restore it
(01:38:17 PM) kirkland: shadowland: well, dvd media being what it is (crap), there was some (perhaps tiny) bit of that gpg file that was corrupted
(01:38:25 PM) kirkland: thus, that backup wasn't worth anything!
(01:38:36 PM) Pollywog: I have a question that might have already been asked... how do I login to my system from a laptop (ssh) if I am not logged in at the remote system.  Is there a better way than that of putting my ssh keys in /etc/.ssh/  ?  If this has already been answered, I will check the conference logs later
(01:38:37 PM) kirkland: same goes for a single file in Mac OS X
(01:38:53 PM) kirkland: Pollywog: please ask in #ubuntu-classroom-chat, and wait your turn
(01:38:57 PM) Pollywog: k
(01:39:08 PM) kirkland: shadowland: there's one other tremendous advantage
(01:39:16 PM) kirkland: shadowland: and that's back to the incremental backups
(01:39:33 PM) kirkland: shadowland: i can do something like rsync $HOME/.Private/  root@remote:/backup/
(01:39:43 PM) kirkland: and sync only the files that changed
(01:39:55 PM) kirkland: which is far more reasonable than trying to rsync a multi-GB file
(01:40:17 PM) kirkland: so on to the backups questions ...
(01:40:31 PM) kirkland: there are a few improvements we're trying to make in this area in the Karmic timeframe
(01:40:40 PM) kirkland: however, my backup script for now looks something like this:
(01:40:56 PM) kirkland: umount.ecryptfs_private && cd && mount.ecryptfs_private
(01:41:09 PM) kirkland: that one liner unmounts, cd's to my $HOME, and mounts, very quickly
(01:41:21 PM) kirkland: the net is that my script is now in the unmounted homedir
(01:41:34 PM) kirkland: at this point, I can rsync -aP .Private/ <offsite>
(01:42:03 PM) kirkland: jcastro: next?
(01:42:42 PM) jcastro: <shadowland> QUESTION: How is the backup affected if a user has open files when the backup runs?  Are the backed up files usable if restored later?
(01:42:59 PM) kirkland: jcastro: maybe, maybe not
(01:43:12 PM) kirkland: jcastro: all depends on how your underlying filesystem works, what's sync'd, etc.
(01:43:28 PM) kirkland: shadowland: ideally, you'd run your backups when other things aren't running
(01:43:38 PM) kirkland: shadowland: i expect we might have a little more work to do in this arena
(01:43:47 PM) kirkland: tyhicks is our kernel expert from IBM ;-)
(01:43:58 PM) kirkland: <Fabu> QUESTION: I'm currently using Truecrypt for encrypting a 1TB hdd, should i switch to ecryptfs? If yes why (most important would be performance issues)?
(01:44:10 PM) kirkland: Fabu: well, i can't be objective on this one :-)
(01:44:19 PM) kirkland: i prefer eCryptfs, but I'm the maintainer :-)
(01:44:40 PM) kirkland: if you're happy with Trucrypt, it does everything you want, I don't suppose there's a compelling reason to change
(01:45:08 PM) kirkland: however, the last time i looked at truecrypt, there were some serious licensing concerns
(01:45:15 PM) kirkland: that was keeping it from making it into fedora and ubuntu
(01:45:21 PM) kirkland: (ecryptfs is gplv2)
(01:45:35 PM) kirkland: <mcsean> QUESTION: can you show us how you'd encrypt a specific dir or mount (not just a home dir)?
(01:45:39 PM) kirkland: mcsean: good question
(01:45:47 PM) kirkland: mcsean: let's go back over to our demo environment
(01:45:53 PM) kirkland: i'm going to create a new user, foo2
(01:45:57 PM) kirkland: who doesn't have an encrypted home dir
(01:46:14 PM) kirkland: and show you how foo2 would create an encrypted private
(01:46:27 PM) kirkland: this is mostly what we did in Intrepid, but it's still a useful feature in Jaunty
(01:46:37 PM) kirkland: especially if you use Gnome's auto-login feature
(01:46:47 PM) kirkland: but you want to protect some subset of your home directory
(01:47:03 PM) kirkland: (note that encrypted-home and auto-login are TOTALLY incompatible for hopefully obvious reasons!)
(01:47:22 PM) kirkland: okay foo2 created, no encrypted home
(01:47:31 PM) kirkland: loggin in as foo2
(01:47:40 PM) kirkland: no encrypted home mount
(01:47:58 PM) kirkland: okay, running ecryptfs-setup-private to create my Private dir
(01:48:11 PM) kirkland: entering my login passphrase
(01:48:16 PM) kirkland: now, i have a choice ...
(01:48:24 PM) kirkland: i can choose to select my mount passphrase
(01:48:28 PM) kirkland: or randomly generate it
(01:48:33 PM) kirkland: i *always* randomly generate it
(01:48:37 PM) kirkland: as this is more secure
(01:48:44 PM) kirkland: but i *must* remember to write it down
(01:48:52 PM) kirkland: cool, it's setup now
(01:49:03 PM) kirkland: okay, so i need to logout and log back in for it to take effect
(01:49:18 PM) kirkland: and now, i can see Private mounted
(01:49:20 PM) kirkland: \o/
(01:49:25 PM) kirkland: let's put some data in there
(01:49:47 PM) kirkland: cooll, so i have data in there now
(01:49:56 PM) kirkland: let's unmount it and see
(01:50:10 PM) kirkland: not mounted, good
(01:50:14 PM) kirkland: let's check the encrypted data
(01:50:27 PM) kirkland: encrypted filenames, encrypted file contents
(01:50:31 PM) kirkland: sweet
(01:51:36 PM) kirkland: mcsean: i'll show you one more thing ...
(01:51:54 PM) kirkland: as an admin, i can do lots of other things with ecryptfs
(01:52:00 PM) kirkland: arbitrary mountpoints and such
(01:52:07 PM) kirkland: again, back to our screen session, let's see this
(01:52:39 PM) kirkland: sudo mount -t ecryptfs /tmp/encrypted/ /tmp/decrypted/
(01:52:46 PM) kirkland: i should get a list of interactive questions
(01:52:53 PM) kirkland: first, a passphrase for this mount
(01:53:02 PM) kirkland: next, the cipher i want
(01:53:12 PM) kirkland: (didn't someone ask about what ciphers are supported?)
(01:53:18 PM) kirkland: Select cipher:
(01:53:18 PM) kirkland:  1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
(01:53:18 PM) kirkland:  2) blowfish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
(01:53:18 PM) kirkland:  3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
(01:53:20 PM) kirkland:  4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
(01:53:20 PM) kirkland:  5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
(01:53:23 PM) Fabu: yes me thanks :)
(01:53:23 PM) kirkland:  6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
(01:53:53 PM) kirkland: /tmp/encrypted on /tmp/decrypted type ecryptfs (rw,ecryptfs_sig=c7fed37c0a341e19,ecryptfs_cipher=blowfish,ecryptfs_key_bytes=16,ecryptfs_fnek_sig=c7fed37c0a341e19,ecryptfs_unlink_sigs)
(01:53:55 PM) kirkland: voila
(01:53:59 PM) kirkland: arbitrary ecryptfs mount
(01:54:10 PM) kirkland: you'd want to save this off, or put it into /etc/fstab if you want to use it more
(01:54:17 PM) kirkland: okay, now I want to get to one more important point
(01:54:37 PM) kirkland: this is related to: <stesind> QUESTION: could you pls show how to store the passphrase on a usb stick?
(01:55:05 PM) kirkland: so i mentioned that you could make it much harder on your attacker, if they didn't have your system password and your wrapped-passphrase
(01:55:11 PM) kirkland: here's a bit about what's going on ...
(01:55:15 PM) kirkland: when you login via PAM
(01:55:25 PM) kirkland: you give a system password, like 'abc123'
(01:55:37 PM) jcastro: 5 minute warning!
(01:55:43 PM) kirkland: this is used to "unwrap" or decrypt your wrapped-passphrase
(01:55:53 PM) kirkland: this file is stored in $HOME/.ecryptfs/wrapped-passphrase
(01:56:08 PM) kirkland: which is *actually* in /var/lib/ecryptfs/$USER/wrapped-passphrase
(01:56:14 PM) kirkland: let's go take a look in our demo window
(01:56:27 PM) kirkland: first, let's unwrap it and see ...
(01:57:03 PM) kirkland: so our "simple" abc123 passphrase decrypts our random, hard mount passphrase 21a723343815414dcd74842704d2eb18
(01:57:31 PM) kirkland: so what i've done on my system is I've litterally "moved" my wrapped-passphrase file to usb storage
(01:58:27 PM) kirkland: (see the window for the demo)
(01:58:41 PM) Pollywog: QUESTION: is there a way to generate a new passphrase in case I failed to record it when I installed Ubuntu?
(01:58:52 PM) Pollywog: oops sorry
(01:59:44 PM) kirkland: so i now have a pretend usb stick in /tmp
(01:59:53 PM) kirkland: (put it on a real one, and add it to your /etc/fstab)
(02:00:02 PM) stesind: :)
(02:00:05 PM) kirkland: i moved my wrapped-passphrase file to something perhaps less obvious, ".trash"
(02:00:11 PM) kirkland: and put a symlink in place
(02:00:18 PM) kirkland: now, i have to have that in place to login to the system
(02:00:29 PM) kirkland: so i logged in successfully
(02:00:33 PM) kirkland: now, i'm going to remove it
(02:00:38 PM) kirkland: (pretend, remove usb key)
(02:01:34 PM) kirkland: okay, i did that out of order
(02:01:39 PM) kirkland: but there we go ...
(02:01:43 PM) kirkland: home dir data not available
(02:01:47 PM) kirkland: okay, i'm done!
(02:01:54 PM) jcastro: whew!
(02:01:54 PM) kirkland: ask more questions in -chat, i'll try to answer

MeetingLogs/openweekJaunty/EncryptHome (last edited 2009-04-29 18:17:52 by pool-70-16-48-183)