Revision 11 as of 2008-10-30 14:01:22

Clear message

Ubuntu Intrepid Ibex brings an interesting new security feature to both desktop and server users: the Encrypted ~/Private Directory.

Setup Your Encrypted Private Directory

  1. Install ecryptfs-utils

     sudo apt-get install ecryptfs-utils 

  2. Setup your private directory

     ecryptfs-setup-private 

  3. Enter your login password, and either choose a mount pass phrase or generate one.

    • Record both pass phrases in a safe location!!! They will be required if you ever have to recover your data manually.

  4. Logout, and Log back in to establish the mount

Use Your Encrypted Private Directory

After logging back in, all content of any files or folders you write in ~/Private will be encrypted when written to the disk, in the hidden directory ~/.Private.

Storing Your Keys, Email and other Data in ~/Private

It can be a good idea to move the content of your .evolution/, .ssh/ and .gpg/ in ~/Private and replacing them with a symlink.

  1. Make sure that the application whose data you want to protect (e.g. Firefox or Evolution) is not running

     ps -ef | grep evolution 

  2. Move the application's data directory (e.g. ~/.mozilla or ~/.evolution) into your ~/Private directory

     mv ~/.evolution ~/Private 

  3. Establish a symbolic link from the old location to new location

     ln -s ~/Private/.evolution ~/.evolution 

Recovering Your Data Manually

These steps should only be required in unusual, or emergency circumstances, when you must manually mount your encrypted ~/Private directory to recover your data. You can use this to mount your data if it's backed up on a different system, or using a LiveCD, as long as it is running at least the Linux 2.6.26 kernel.

  1. Mount using sudo:

    •  sudo mount -t ecryptfs /home/username/.Private /home/username/Private 

    •  Selection: 3  (use a passphrase key type)

    •  Passphrase:  (Enter the mount passphrase you recorded when you setup the mount--this passphrase is different from your login passphrase.)

    •  Selection: aes  (use the aes cipher)

    •  Selection: 16  (use a 16 byte key)

    •  Enable plaintext passthrough: n 

Assuming you entered your passphrase correctly, you should be able to temporarily access your data at  /home/username/Private . Back this data up accordingly.

Recovering Your Mount Passphrase

In the event that you did not write down your mount passphrase, you may be able to recover it by decrypting the file  ~/.ecryptfs/wrapped-passphrase  using your login passphrase.

  •  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase "login passphrase" 

  • It's a good idea to clear your shell history at this point to erase your login passphrase

  •  history -c 

If your login passphrase matches the passphrase used to encrypt the wrapped-passphrase file, your mount passphrase will be written to screen. Record and protect this data accordingly.

If you have lost your wrapped-passphrase file, and you did not record your mount passphrase, it is impossible to access your encrypted data.

Caveats

  • Filenames and directory names will not be encrypted (Bug #264977).

  • Network mounting (NFS, CIFS, Samba) of /home will not work properly with an encrypted ~/Private (bugs #277578 & #289747).

  • By design, data is not kept private to privileged users while the user is logged in. One consequence of this is if ~/Private is mounted, a backup solution may backup your decrypted files unless the backup software is configured to exclude files in ~/Private.
  • If you put all of .ssh in ~/Private, some users reported that you won't be able to ssh into the system using public key authentication. In this case, you might want to only put your private key in ~/Private, and leave the rest in the clear.
  • If you choose to store application data in the ~/Private directory, those applications will not operate as expected if the ~/Private directory is unmounted.