Jaunty Encrypted Home Directories

February 27, 2009

So this post isn’t exactly “hot off the press”. It’s about a month late. But better late than never… Two big announcements on the Ubuntu eCryptfs front:

  • Ubuntu now supports per-user encrypted home directories
  • Filenames are now encrypted too

I have been trusting eCryptfs with my entire home directory since December, and things have been working well.

Here are some simple instructions…

Server/Alternate Installer

It’s easy to setup from the server/alternate installer:


LiveCD Desktop Installer

The desktop installation is only slightly more complex. Boot the LiveCD installer, and preseed a special value:

  • Select your language
  • Press F6
  • Then ESC
  • Add “user-setup/encrypt-home=true” just before the ““.

You will see a new option on the user-details page of the installer:


Post-installation, on a Running System

If you have a running Jaunty system, and you want to add another user, you can easily add a new user and have their home directory encrypted, with:

$ sudo adduser –encrypt-home foo_user

Important Caveats!

  1. You really must record your randomly generated mount passphrase after the installation. This is easy to do with:
    $ ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
  2. Swap space. Decrypted copies of your files could easy leak to your swap space. I strongly recommended that either:
    • You do not use swap (I have 4GB memory and don’t really need it)
    • Or your encrypt your swap with:
      $ sudo ecryptfs-setup-swap

    In either case, however, you will not be able to hibernate your system (but suspend will continue to work just fine). It is for this reason that the option is hidden in the default installation. We’re trying to fix the swap issues for Karmic.

  3. Auto-login and encrypted-home are simply incompatible. You must enter a password to decrypt your home directory, so automatic login is not possible. However, if you want to automatically login to your desktop, you can actually use the encrypted-private feature, and store a subset of your data in ~/Private. After installation, you can configure this with:
    $ ecryptfs-setup-private

Migration of Existing Data to an Encrypted Home Directory

We won’t be able to provide an automated mechanism for live migration of data into your encrypted home directory in time for Jaunty. (Sorry, more pressing Ubuntu Server work took precedence…) I will provide some step-by-step instructions (and maybe a script?) here in my blog–stay tuned!

:-Dustin

19 Responses to “Jaunty Encrypted Home Directories”

  1. Ryan Says:

    Won’t fully encrypted home directories also disable sshing into a system with public key authentication?

  2. crashsystems Says:

    Is this in the installer as of alpha 5? I just booted into alpha 5 in my VM, making sure to tack on that book parameter, and did not see the encrypted home option in the installer. Might I have been doing something wrong?

  3. crashsystems Says:

    Update: I downloaded a daily build and successfully installed that in my VM with encrypted home directory. So ether the newer build fixed the problem, or more likely PEBKAC.

  4. Dave Morley Says:

    Dustin I think in Alpha 5 the encrypted home was removed from the live cd. You might want to check it out.

  5. Stoffe Says:

    What impact on performance does this have? I’m especially interested in knowing how having an encrypted home directory would affect a netbook such as say the Asus EEE PC 1000h or the HP 2133. I’m looking at buying something like one of those in the coming week and will put Ubuntu on it. But since these machines are low-end already… any ideas?

  6. gotgenes Says:

    Very cool. So does this mean there’s now a separation of a user’s password from the user’s decryption password? This was an issue brought up in your previous post–oftentimes we want our encrypted data passphrase to be significantly longer than our user passphrase.

  7. Dustin Kirkland Says:

    Hi Ryan-

    If you're already logged into the system elsewhere (on the desktop, another ssh session, etc), public key will work.

    However, you're correct. If you trying to start a brand new session, your ~/.ssh/authorized_keys file will not be available.

    You could work around this by creating a .ssh/authorized_keys file in your unmounted home directory. You could do something like the following:

    $ cd /
    $ ecryptfs-umount-private
    $ chmod 700 $HOME
    $ mkdir $HOME/.ssh
    $ chmod 500 $HOME
    $ chmod 700
    $ echo $PUBKEY $HOME/.ssh >> /authorized_keys
    $ ecryptfs-mount-private

    :-Dustin

  8. Dustin Kirkland Says:

    Dave-

    Please read the whole post 😉

    “The desktop installation is only
    slightly more complex. Boot the LiveCD
    installer, and preseed a special
    value…
    user-setup/encrypt-home=true
    …”

    :-Dustin

  9. Dustin Kirkland Says:

    Stoffe-

    There is a performance impact. In some cases, it's negligible, but in others, it's not. It really depends on what you're doing.

    Michael Larabel of Phoronix has been running some numbers. See:
    * http://global.phoronix-test-suite.com/?k=profile&u=phorocrypt-16497-10491-19665

    On my dual-core/4GB Thinkpad, the performance hit is absolutely unnoticeable. On single Atom or Celeron processor, though, it might be a bit more trying.

    Some users have reported that the initial login authentication is very slow on Asus EEE PC's with encrypted home directories:
    * https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/295429

    Cheers,
    :-Dustin

  10. Stoffe Says:

    Ok, thanks for the info. 🙂

  11. Dustin Kirkland Says:

    Hi gotgenes-

    For a full response, see:
    * http://blog.dustinkirkland.com/2009/02/how-encrypted-home-ecryptfs-works.html

    Cheers,
    :-Dustin

  12. Jens Says:

    I’m now installing alpha 6 with encrypted home.
    Wow, this is great, I waited 2years on this feature, and I’m really happy to see it in the jaunty installer…

    Nice work Dustin, Thank you so much!

  13. Giordano Says:

    Hi Dustin, any news about this?

    “I will provide some step-by-step instructions (and maybe a script?) here in my blog–stay tuned!”I upgraded from Intrepid to Jaunty and I would really like to move from private directory to encrypted home directory, but I don’t know how to do it… 😐

    Thanks!!

    Giordano

  14. Karthik Says:

    Any updates on moving an existing users home directory to an encrypted one ?

  15. Karthik Says:

    Any instructions to convert existing unencrypted home to encrypted one ?

    Thanks

    Karthik

  16. darwinsurvivor Says:

    Ok, I have a HUGE problem right now. I just had to reinstall Jaunty (due to driver issues) and now I can’t access my files.

    I have my /home folder on a separate partition, so I didn’t even think twice about reinstalling my OS. Now it seems that the encryption key (encrypted by my login password) is actually stored in /var/lib/ecryptfs/user?!?

    Is there ANY way to recover my encryption key? All my files are still there, I just can’t open any of them and very few actually got backed up.

    If someone can even give me a command to grep my hard drive for a pattern that matches something that would be in the cypher file, it would be greatly appreciated since there is a *slim* chance it may still be there.

    If I am correct about they way the key is stored, please consider my case when revising your system and put the keys in the “/home” folder!

  17. ZAP Says:

    Home directory encryption seems to be linked to a user’s password in a non-functional way. I created a user with an encrypted home directory and then later changed that user’s password. When I logged out and back in, I no longer saw any of my previous home directory files (I had a functional but default home directory).

    Changing the password back to what it was when I set up the encrypted home directory restored all of my files and settings, but it should be possible to change your password when using this feature.

    This glitch made me think that it might actually be trivial to add a “panic” password (which would open to a default home directory) to this system as well as the regular one (which would open the encrypted home directory files).

  18. Alper Says:

    (I had difficulty posting this, I hope I didn’t post same msg over and over again)

    Hi Dustin,
    I chose “encrypt home directory” during Jaunty installation, and I have two questions regarding encryption.
    When I boot with LiveCD to laptop, I cannot mount the /home directory in laptop’s harddrive. That’s good but when I do:
    dd if=/dev/sdaX | strings
    I can see printable text in that partition. So, I thought the contents of files are encrypted not only their headers. So, aren’t the contents of files encrypted?
    Second question is that, I’m seeing many ecryptfs related error or warning messages in /var/log , these are the most frequent ones:
    – Warning: Using default salt value (undefined in ~/.ecryptfsrc)
    – ecryptfs_add_passphrase_key_to_keyring: Error adding auth tok with sig [xxxxxxxxxxxx] to the keyring; rc = [1]
    – ecryptfs_add_passphrase_key_to_keyring: Error adding auth tok with sig [yyyyyyyyyyyy] to the keyring; rc = [1]

    Are these normal messages, or smt wrong in my setup?
    By the way, I don’t have the file you mention in your blog, ~/.wrapped-passphrase, instead I have ~/.ecryptfs/wrapped-passphrase. Is this normal?

  19. Cont Says:

    I'm trying to create a new user with encrypted home dir using 9.04 live on some usb pen drive with persistence. Using "sudo adduser –encrypt-home foo_user" the account is created just fine, but I cannot graphically login because gdm doesn't start. I can only login using the console.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: