Encrypted Private Directories in Ubuntu Intrepid

August 6, 2008

From the Ubuntu Server Team…

Do you have sensitive data on your computer? Perhaps a file containing all of your passwords? Financial spreadsheets or GPG/SSH keys?  Are you concerned about someone reading these files should your PC or laptop be stolen?

In Ubuntu’s Intrepid Ibex development cycle, the Ubuntu Server Team is implementing support for an encrypted private directory in each user’s home.

Getting Started

Install the ‘ecryptfs-utils’ package:

sudo apt-get install ecryptfs-utils

Run ecryptfs-setup-private as your non-root user:

ecryptfs-setup-private

After that, it’s a matter of logging in/out, and reading/writing data in ~/Private.  Personally, I have moved my ~/.ssh, ~/.gnupg, and ~/.mozilla directories into ~/Private, and symlinked them to their traditional locations.

  • Do NOT move your ~/.ecryptfs directory in ~/Private!!!

How does it work?

The underlying technology is a cryptographic virtual filesystem in the Linux kernel called eCryptfs, authored by Michael Halcrow of IBM.

When a user logs into an Ubuntu Intrepid system, their login passphrase is automatically used to decrypt a randomly generated mount passphrase. This mount passphrase will then cryptographically mount ~/.Private onto ~/Private. As long as ~/Private is mounted, the user can read and write sensitive data to files and directories under the virtual filesystem on ~/Private. The actual files stored in the underlying filesystem are encrypted, and located in ~/.Private. The only passphrase required is obtained when logging in (via console, ssh, gdm, etc). And the only files encrypted are those that the user consciously places in ~/Private.  The user can then incrementally backup the encrypted ~/.Private directory to off-site storage.

A more complete discussion of the design details are available as a specification in the wiki:

Testers wanted!

Most of the integration of Encrypted Private Directories has been completed in Intrepid, and now we’re looking for some proactive Ubuntu users to test this functionality before the legions of Ubuntu users begin trusting this technology with their personal data. With your help, hopefully we can shake out any remaining functionality or usability issues.

Please follow the complete, step-by-step, up-to-date instructions in the wiki:

And file relevant bugs in Launchpad against ecryptfs-utils:

:-Dustin

About these ads

2 Responses to “Encrypted Private Directories in Ubuntu Intrepid”


  1. [...] Kirkland is not just the name of the house brand at Costco, on the side he also works on encrypted private directories. [...]

  2. pascalandreas Says:

    Will this also be available in Kubuntu Intrepid?

    The only difference I see is that we are running Kdm instead of Gdm. Will it make any difference and in such a case will it be easy to change?


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: