Launchpad Entry: server-karmic-encrypted-swap-as-an-option
Packages affected: ecryptfs-utils, ubiquity, debian-installer
Ubuntu installations with Home Directory Encryption selected should encrypt swap space and disable hibernation capabilities.
Ubuntu now provides support for encrypted home directories as part of the desktop installation.
Security conscious users want to encrypt their home directories to guard against information theft in the event their computer is lost or stolen. We provided this option during the development of Ubuntu 9.04, but the security team asked us to remove it as without encrypted swap, it was possible for the private keys to be stored in the clear.
- Joseph leaves his laptop in a conference room at UDS and it is stolen. This laptop had his private GPG key on it.
The existing design for this option in ubiquity will be used.
Integrate ecryptfs-setup-swap into the installer, fixing the bug causing it to only support a single swap device in the process.
Change the default value of user-setup/encrypt-home to true.
- Disable hibernation when encrypted swap is set using the same method that wubi uses.
- Document that hibernation is disabled when encrypted swap is set.
- Hibernation could technically be done, but the suggested implementations all had issues preventing them from being used, so it is deferred until someone steps up to solve the problem of hibernation with encrypted swap.
UDS Raw Notes
- prevent leakage of encrypted data when writing data to swap
- main use case: hibernate
- karmic suggested implementation:
encrypted home in installer -> setup swap encryption (ecryptfs-setup-swap), document hibernation incompatibility
- randomly generate key on boot (no passphrase wrapping)
- open wishlist bug for hibernation resume support
- algorithm: wrap randomly generated password with PAM system passphrase on login (for multiple users), store in LUKS keyslot
- teach resume scripts to prompt for user's wrapping passphrase on resume, decrypt swap, resume
- hard, so not deliverable for karmic
- possible regressions and workarounds:
- /tmp contents are still viewable, worked around in short term by using tmpfs for /tmp when system has some amount X of RAM, worked around in long term by moving /tmp into ~/.tmp
need UI changes to Applications> Accessories> Passwords and Encryption Keys
- additional notes:
- see who is using encrypted home and encrypted swap