Encrypted Private Directories in Ubuntu Intrepid
August 6, 2008
From the Ubuntu Server Team…
Do you have sensitive data on your computer? Perhaps a file containing all of your passwords? Financial spreadsheets or GPG/SSH keys? Are you concerned about someone reading these files should your PC or laptop be stolen?
In Ubuntu’s Intrepid Ibex development cycle, the Ubuntu Server Team is implementing support for an encrypted private directory in each user’s home.
Install the ‘ecryptfs-utils’ package:
sudo apt-get install ecryptfs-utils
Run ecryptfs-setup-private as your non-root user:
After that, it’s a matter of logging in/out, and reading/writing data in ~/Private. Personally, I have moved my
~/.mozilla directories into
~/Private, and symlinked them to their traditional locations.
- Do NOT move your
~/.ecryptfsdirectory in ~/Private!!!
How does it work?
The underlying technology is a cryptographic virtual filesystem in the Linux kernel called eCryptfs, authored by Michael Halcrow of IBM.
When a user logs into an Ubuntu Intrepid system, their login passphrase is automatically used to decrypt a randomly generated mount passphrase. This mount passphrase will then cryptographically mount ~/.Private onto ~/Private. As long as ~/Private is mounted, the user can read and write sensitive data to files and directories under the virtual filesystem on ~/Private. The actual files stored in the underlying filesystem are encrypted, and located in ~/.Private. The only passphrase required is obtained when logging in (via console, ssh, gdm, etc). And the only files encrypted are those that the user consciously places in ~/Private. The user can then incrementally backup the encrypted ~/.Private directory to off-site storage.
Most of the integration of Encrypted Private Directories has been completed in Intrepid, and now we’re looking for some proactive Ubuntu users to test this functionality before the legions of Ubuntu users begin trusting this technology with their personal data. With your help, hopefully we can shake out any remaining functionality or usability issues.