What’s in my Encrypted ~/Private directory?

October 3, 2008

Ubuntu Intrepid’s integration of Per-User Encrypted Private Directories is one of the most important new features to me to be included in the 8.10 release later this month.

I’ve spent quite a bit of time over the last 5 months developing, testing, documenting, and blogging about this feature.

Some people have asked, “What do you keep in your encrypted ~/Private directory?”  So I thought I’d respond here.  If there happen to be an other planet.ubuntu.com bloggers out there using an Encrypted Private Directory, perhaps this should be our next MeMe 🙂

kirkland@t61p:~/Private$ ls -alF
total 40
drwx------ 10 kirkland kirkland 4096 2008-10-03 10:30 ./
drwx------ 95 kirkland kirkland 4096 2008-10-03 10:24 ../
drwx------  4 kirkland kirkland 4096 2008-10-03 10:23 Documents/
drwx------  5 kirkland kirkland 4096 2008-10-03 10:30 .evolution/
drwx------  2 kirkland kirkland 4096 2008-10-03 09:54 .gnupg/
drwx------  4 kirkland kirkland 4096 2008-02-14 06:59 .mozilla/
drwx------  6 kirkland kirkland 4096 2008-10-03 10:28 .purple/
drwx------  2 kirkland kirkland 4096 2008-10-01 13:31 .ssh/
drwx------ 10 kirkland kirkland 4096 2008-10-03 09:03 .xchat2/

To protect your sensitive data, such as documents, mail, calendars, contacts, browser cache, messaging logs, and encryption keys in Intrepid, you can simply do the following:

  • Install ecryptfs-utils
    • $ sudo apt-get install ecryptfs-utils
  • Setup your private directory
    • $ ecryptfs-setup-private
  • Enter your login password, and either choose a mount pass phrase or generate one
    • Record both pass phrases in a safe location!!!  They will be required if you ever have to recover your data manually.
  • Logout, and Log back in to establish the mount
  • Make sure that the application whose data you want to protect (e.g. Firefox or Evolution) is not running

    • $ ps -ef | grep evolution
  • Move the application’s data directory (e.g. ~/.mozilla or ~/.evolution) into your ~/Private directory

    • mv ~/.evolution ~/Private
  • Establish a symbolic link from the old location to new location

    • ln -s ~/Private/.evolution ~/.evolution

I could provide a script to do this, however, care must be taken that applications are not reading and writing data to these directories while they’re being moved, and thus, I recommend that these be handled manually.

Note: If you put all of .ssh in ~/Private, you won’t be able to ssh into the system using public key authentication.  In this case, you might want to only put your private key in ~/Private, and leave the rest in the clear.

Please open any bugs or ask any questions in Launchpad.

:-Dustin

19 Responses to “What’s in my Encrypted ~/Private directory?”

  1. tawmas Says:

    Just to remark that, if you symlink your whole ~/.ssh folder, you’ll loose the possibility to log in to your box via public key authentication, because ~/.ssh/autorized_keys is not available.

    I’ve kept my ~/.ssh as a real directory, and symlinked every file in there except authorized_keys. This is hackish, and a moderate mess to maintain, but I couldn’t figure out another way to do that.

  2. Dustin Kirkland Says:

    tawmas-

    Excellent point. See this bug (which I suspect you might have reported?)
    * https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/268014

    :-Dustin

  3. tawmas Says:

    Dustin,

    yep it was me! Thanks for looking into that. I’m switching to the scheme you mention in that bug report.

  4. macoafi Says:

    What if you want it on Hardy? Hrm…I wonder if I can install Intrepid user-space on Hardy’s kernel…

  5. Dustin Kirkland Says:

    I don’t recommend running this in Hardy.

    :-Dustin

  6. miekg Says:

    And how about backups? I do not turn my computer off and I’m always logged in… this means this ~/Private directory is available in unencrypted form. When my backup runs this means the ~/Private directory will be backed up in plain text (i.e. not encrypted).

    What I need is the following: ONLY for my uid ~/Private is uncrypted, for ALL OTHER (even root) users it is encrypted.
    This way my backups will stay encrypted even if they run while I’m logged in.

  7. miohtama Says:

    A good tutorial.

    It’s a major turn off and a security risk if you need to manually symlink directories to protect your data – this feature is not definitely end user feasible. If you encrypt your data you expect it to be safe, automatically.

    Why we need separate directory, why just we can’t encrypt /home/whoever like OS X does?

  8. (``-_-´´) BUGabundo Says:

    What is your opinion on encFS?

    I’ve been using it for years and a I really like it.

    Is there any benchmark between the two?


  9. […] to start, this time about the contents of their ~/Private directory. One of those posts — What’s in my Encrypted ~/Private directory? — helped me a lot with setting up my […]

  10. qense Says:

    What happens when you use the fast-user-switch-applet to quickly let e.g. a guest use your computer? You are still logged on, so it would make sense to keep the encrypted directory mounted.
    However, this would mean that the encryption barrier wouldn’t work in that case. Is that true?

  11. Dustin Kirkland Says:

    On October 4, 2008 at 8:03, miekg wrote:
    > And how about backups? I do not turn my computer off
    > and I’m always logged in… this means this ~/Private
    > directory is available in unencrypted form. When my
    > backup runs this means the ~/Private directory will be
    > backed up in plain text (i.e. not encrypted).

    I have automated backups too. In my backup scripts, I have something like:

    umount.ecryptfs_private || exit 1

    rsync -aP /home/kirkland remote:/backup/home/kirkland

    mount.ecryptfs_private

    Basically, I force an unmount of my private directory, and mount it back when I’m done.

    > What I need is the following: ONLY for my uid
    > ~/Private is uncrypted, for ALL OTHER (even root)
    > users it is encrypted.

    Absolutely, and that’s on our to-do list in the ecryptfs project. However, this will need to be handled via MAC (Mandatory Access Control) provided by SELinux/AppArmor. We have a bug about this in Launchpad:

    * https://bugs.launchpad.net/ecryptfs/+bug/278290

    :-Dustin

  12. Dustin Kirkland Says:

    On October 4, 2008 at 9:33 am, miohtama wrote:
    > It’s a major turn off and a security risk if you need
    > to manually symlink directories to protect your data –
    > this feature is not definitely end user feasible. If
    > you encrypt your data you expect it to be safe,
    > automatically.

    We’re hoping to provide some graphical administration utilities for Jaunty. See:
    * https://bugs.launchpad.net/bugs/257901

    > Why we need separate directory, why just we can’t
    > encrypt /home/whoever like OS X does?

    That was actually my original proposal at the Ubuntu Developer Summit in May of 2008 in Prague. However, it was deemed ‘too aggressive’ for Intrepid. The compromise was to provide a single encrypted directory where Ubuntu users could choose to copy or link their most sensitive data there. I will revisit the proposal in the December 2008 Ubuntu Developer Summit in Mountain View.

    :-Dustin

  13. Dustin Kirkland Says:

    On October 4, 2008 at 4:48 pm, BUGabundo wrote:
    > What is your opinion on encFS?
    > I’ve been using it for years and a I really like it.
    > Is there any benchmark between the two?

    Please see:
    * https://answers.launchpad.net/ecryptfs/+question/46302

    In brief, ecryptfs is very similar to encfs, however, eCryptfs exists within the kernel, while encfs runs in userspace (thus, more context switching, perhaps some performance impact).

    I do not have any benchmarks.

    :-Dustin

  14. Dustin Kirkland Says:

    On October 4, 2008 at 6:40 pm, qense wrote:
    > What happens when you use the fast-user-switch-applet to
    > quickly let e.g. a guest use your computer? You are
    > still logged on, so it would make sense to keep the
    > encrypted directory mounted.
    > However, this would mean that the encryption barrier
    > wouldn’t work in that case. Is that true?

    See my response above regarding SELinux and AppArmor as enforcers of Mandatory Access Controls.

    Even if your private directory is mounted, guest users will not be able to access it because of Discretionary Access Controls (ie, the permissions on ~/Private are 700, rwx——).

    That said, I will look into hooking the Guest-Session applet to run umount.ecryptfs_private.

    :-Dustin

  15. (``-_-´´) BUGabundo Says:

    @Dustin: last night i made a new encFS folder and activated my ecrypt/Private folder.

    encFS was made with Paranoid settings;

    I used bonnie++ and dd (timeout 300 dd if=/dev/zero of=lixo and timeout 300 dd if=/dev/urandom of=lixo)

    with zero, both systems ran between 6 and 10 MiB/s.
    with urandom i got around 3-4MiB/s.
    on an encrypted folder values from 3 tests were between 14 and 27 MiB/s.

    Conclusion: both ecrypt and encFS seem to have the same hit, performance wise;
    encFS is more flexible as it allows you to choose the level of encryption, and where to put the folder, but ecrypt works as soon as you login.

  16. Dustin Kirkland Says:

    pascalandreas wrote:
    > Will this also be available in Kubuntu Intrepid?

    Yes, of course. There should be no difference for Kubuntu, Xubuntu, Mythbuntu, etc.

    :-Dustin

  17. Dustin Kirkland Says:

    On October 6, 2008 at 12:33 pm, BUGabundo wrote:
    > Conclusion: both ecrypt and encFS seem to have the same
    > hit, performance wise;
    > encFS is more flexible as it allows you to choose the
    > level of encryption, and where to put the folder, but
    > ecrypt works as soon as you login

    This is open source world… I welcome you to use encFS instead, if that’s your preference.

    :-Dustin

  18. (``-_-´´) BUGabundo Says:

    @Dustin I have no preference at this moment.
    I’ve been using encFS for several years on Ubuntu.
    The change from Hardy to Ibex gave me some problems (https://bugs.launchpad.net/ubuntu/+source/encfs/+bug/234818) because the default algorithm on hardy has been replaced on Intrepid.

    ecryptfs is NEW, so I’m just asking around. maybe both can improve from each other.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: