Encrypted home directory

Jeff Spaleta jspaleta at gmail.com
Tue Dec 23 00:27:31 UTC 2008 

2008/12/21 David Nielsen <gnomeuser at gmail.com>:
> /home is seperate on all my boxes, so yes that solution would work. I do
> believe Ubuntu' solution is a seperate partition they map to a folder called
> Private in your home dir which is unlocked at login.

I dont think its a seperate partition, it was just a separate
encrypted directory.  It works very much like the fuse based stuff,
except its kernel space not userspace so it _may_ have a performance
boost by being in the kernel.  But that comes with a cost compared to
the fuse stuff in that userspace manipulation of the mount process is
now marginally harder.  Personally I'd much rather see a robust way to
interact with a fuse based filesystems generally in the Gnome UI than
to see a lot of effort to integrate this one kernel based approach
just for encryption.

The way it was implemented in Ubuntu server takes additional wrapper
logic to manipulate the mount process of the Private directory, and
from my reading all of that logic was driven into ecrypt-utils helper
applications...i think. The original Private directory feature as
introduced in Ubuntu was specific to their server edition and was not
turned on by default on the desktop edition specifically because of
common desktop case integration concerns.  There was a patch added to
Ubuntu to gnome-mount to hide these mountpoints from the UI.

The extension to an encrypted home is meant to address some of the
short comings of the pam based approach so normal desktop users can
use it without it being confusing. A fully encrypted home would never
expected to be unmounted while the person was logged in.  And it
significantly uncomplicates the problem of trying to use a Private
directory for files that applications expect to be in a certain
location in your home directory.

I also think Ubuntu is creating some glue scripts to help people who
upgrade transition from a non-encrypted home to an encrypted home as a
one-time transition.  And integrating an option in user creation ui.

> I have no idea of the
> security of that solution but it does seem that this way one could keep a
> few files secret while the machine is powered down so if it gets lost in the
> airport e.g. those few precious personal files don't fall into the wrong
> hands.

A private directory on a single user machine, the security is fine,
unless Ubuntu is caching the passphrase in your home directory
somewhere to enable login time mounting without having to use a
different passphrase from your login passphrase...that would be
security theater.  I'd have to look more closely at the scripted logic
to know if they are doing some sort of cached credentials in an
un-encrypted file.  I'm pretty sure this is NOT tied into the
gnome-keyring at all yet.

The private directory idea was not introduced as a target for that
sort of machine. The private directory feature was targeted as a
Server edition feature. Security on a multi-user machine...since the
files become viewable once the decrypted mountpoint is active, its no
more secure than any other mountpoint and relies on standard unix
permissions to keep people out.  So as a server feature, its security
theater to some extent.  And even on a single user machine with guest
account enabled fast user switching, like Ubuntu, security may easily
be compromised. If the decrypted private directory is not unmounted
when I guest user takes over the console, they have just as much
access to that mount point as if it were an un-encrypted directory.
There was some discussion i think about using apparmor support for
additional protection but I don't know if its in place yet.

-jef

More information about the devel mailing list