Mittwoch, 29. April 2009

Encrypted Home in Ubuntu Jaunty with eCryptfs (English Version)

(Die deutsch Version ist hier)

Encryption is very important especially on a mobile device. It is normally done in the Linux world with block device encryption, e.g. LUKS. Since Intrepid exists the option to encrypt a private directory within the home directory eCryptfs.

Now, in Jaunty eCryptfs is available with complete encryption of the personnel directory in /home. This encryption works per user, it is possible to have one user encrypted and an other user not encrypted. Only have the personnel directory encrypted, should bring more performance than the whole drive, but it is less safe. A comparison with other encryption methods could be found in the eCryptfs FAQ (link below). In any case you should also encrypt your swap partition, if you have one.

You should also refer to my former posts about encryption principles in Ubuntu "Verschlüsselung in Ubuntu - Überblick". Sorry, only in German at the moment.

How does the installation work?

First the user is deleted incl. all of his data in /home. Then the user is recreated with encrypted directory in /home. It is not necessary to have /home on a separate partition. Because all data of the personnel directory in /home is deleted you should do this directly after installing Jaunty. Otherwise you have to safe all your date incl. hidden directories to a different place.

There is no second password required, the users login password encrypts the passphrase which encrypts the data. Therefore your login password should be strong as well, means contain numbers and special characters.

After encrypting is not easily possible to access the personnel data from e.g. a live-CD. How this works you can read in my post Mounten eines mit Ecryptfs verschlüsselten Home
(in German) or directly in Dustin Kirklands blog for the English version.

Please backup your data now on a external media.

Installation ecryptfs-utils
First you have to install the package ecryptfs-utils. You could do this by using Synaptic or type in a terminal:

sudo apt-get install ecryptfs-utils

Encryption of the home directory for the only user

After installing Jaunty restart the computer and choose in the Grub menu (boot menu) the recovery entry. If you do not see the Grub menu you can press ESC to show it.
Depending if you have friendly-recovery installed you see either a second menu. There you can choose the root entry (scroll down). Or you are directly at the prompt.

to delete the user type:

deluser --remove-home steffen

Please change "steffen" to your user. With that command every personnel data of this user is deleted!

to recreate the user type:

adduser --encrypt-home steffen

Then you have to set the users password. Following you can answer the questions by accepting the presets with Enter. Please note the shown passphrase, you can also do it later.

Our recreated user needs to be the admin again:

adduser steffen admin

In Jaunty users are also member of group sambashare:

adduser steffen sambashare

And users should be able to add a printer (group LPADMIN):

adduser steffen lpadmin

With that commands everything should be as before, except of the encrypted personnel directory.

Press in the terminal Ctrl+D to boot normally.

Attention! If something goes wrong, you can recreate a non-encrypted user with:

adduser steffen
adduser steffen admin

adduser steffen sambashare
adduser steffen lpadmin

Additional user
If you only want to create a additional encrypted user please type this instead in a normal terminal. You do not have to reboot and use the recovery session. Also there is no need to delete any user.

sudo adduser --encrypt-home steffen

Replace "steffen" by your user. Normally this user needs no root rights.

Encrypt Swap partition
If you have one, you should encrypt it. But this breaks you ability to hibernate. Stand by works. On a big machine normally is no need for a swap. On my NC10 netbook I do not use one as well. This encryption is done by block device encryption with the package cryptsetup.

In a normal terminal type:

sudo apt-get install cryptsetup
sudo ecryptfs-setup-swap

Please note the passphrase
You can show it every time in a terminal by typing :

ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase

Then you will be asked for your normal login password.

Ecryptfs FAQ
Ecryptfs Homepage at Launchpad

Attention: Everything is tested but I can give no warranty.

Keine Kommentare:

Kommentar veröffentlichen