(DRAFT)

• Created: 2014-11-05

• Created by: Jamie Strandboge

• Contributors: Jamie Strandboge, Marc Deslauriers, Tyler Hicks, John Johansen

• Packages affected: linux, ecryptfs-utils, apparmor, unity8, etc

• Status: Started

Introduction

As part of ProtectingUserData, Ubuntu plans to support encrypting data to protect against offline attacks (privacy leaks and theft). This will be implemented using eCryptfs.

"eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem for Linux" (man 7 ecryptfs). eCryptfs is a mature and flexible technology that has been used on Ubuntu Desktop and Server and other distributions for years.

Requirements

General Purpose

The technology selected should be able to work under the converged device strategy: phone, tablet, desktop and TV.

Secure

The technology shall focus on protecting user data (as opposed to system data) against theft and privacy leaks. It shall provide confidentiality. It may provide integrity.

The technology selected should be capable of providing strong protection against offline attacks (ie, when the device is off or the user is not logged in).

In general, protection against online attacks (ie, when the user is logged in and the data decrypted) is out of scope. However, reasonable protections should be in place to prevent encryption key theft by, for example, AppStore applications.

Opt-in

User data encryption should be opt-in for the first iteration, which later iterations possibly using it by default.

Extendability

The technology selected should be capable of being extended for cryptographic hardware support or new requirements.

Reliability

The technology used should be reliable and should not corrupt user data.

Performance

The technology used should not have a noticable impact on normal workloads. Normal workloads are those that do not have extremely high IO demands.

Simplicity

The technology used should not impose significant obstacles to the user and be transparent to applications.

Supports multi-user/user profiles

To properly support the converged device strategy, the chosen technology should support multi-user environments and user profiles (eg, 'work' and 'personal').

Why eCryptfs?

MORE HERE

Implementation

Initially

• encrypted HOME
  • PAM
  • swap
• greeter support
• User setup (opt-in)

• AppArmor

  • kernel keyring mediation
  • policy to deny eCryptfs files and lower filesystem

Future

• Plugin support for Cryptographic hardware
• Migration

Concerns

• Software-only
  • MORE HERE
• One password (cumbersome or insecure)

• Future: Two passwords (optional, strong login and weaker lockscreen, Usability issues)

• /tmp/files (TMPDIR set to /run for click apps)

Questions

• Why not not dm-crypt?
  • TODO
• Why not full disk encryption?
  • TODO
• Why not the new ext4 native encryption?
  • TODO
• Hardware support?
  • TODO (reference above)

Conclusion

eCryptfs is a capable and proven technology in Ubuntu and elsewhere to encrypt user data. It is flexible, ready to use now, has reasonable performance characteristics and allows an upgrade to ext4 native encryption if/when that becomes available. When completed, Ubuntu will have a usable and comprehensive encryption solution.

CategorySpec