Continuing from my previous post regarding encrypting my employer-issued Mac, here I describe the experience of encrypting my netbook running, as the title says, Ubuntu Netbook Remix.
OS X includes FileVault for encrypting your home directory and is braindead simple to implement. It allows for live home directory encryption; that is, if you have the space available on your laptop and turn on FileVault, you don't have to do anything to your directory that involves copying or manipulating your files in order to get protection. Most of the time was spent just sitting and waiting while the laptop went ahead and started altering my home directory for me.
Ubuntu...not quite so much.
It's not fair to say that Linux makes it completely difficult to implement encrypted home directories. The latest versions of Ubuntu supports eCryptfs, the encrypted filesystem. This is built on the FUSE filesystem which allows users to mount "plugin"-supported filesystems (FUSE is a topic all of its own; I can use FUSE to do neat things like mount a SSHFS filesystem, a mount over secure shell. I used to do this to gain access to my home computer's files as if they were mounted locally on my work computer's directory tree.)
The main problem I ran into was that Ubuntu's supported home directory encryption was meant for implementation when users are newly created or when the system is being set up. There is no "live migration" as of Ubuntu 9.10.
There were instructions that were supposed to support a manual move to an encrypted home directory. I had a second computer, so I logged off of my netbook and secure shelled into the system from another system (you can't have files being accessed while you're trying to move them from your home directory, and part of the instructions tells you to log off the graphical interface to minimize the risk of corruption.) I tried those directions twice, and both times failed miserably.
What I ended up doing was first disabling the automatic login to my administrative user by going to system->login screen and telling it to "show the screen for choosing who will log in".
Next I set about the task of creating a new user using the "adduser --encrypt-home tempusername" command, giving that user full sudo privileges by adding him to the admin group, then logging in as the new user. Next I synced my original user's files with the new user's directory (from secure shell, not the graphical login) using the command "sudo rsync -aP --exlude=.Private --exclude=Private --exclude=.ecryptfs /home/username/ /home/tempusername". This copied all the files from the original unencrypted directory to the encrypted new user's subdirectory.
Next I changed ownership to the new user. Probably unnecessary, but I did it for testing purposes; "sudo chown -R tempusername:tempusername *" from the new user's home directory. Then to copy the hidden files, "sudo chown -R tempusername:tempusername .*"
A quick "ls -al" told me that I had caught all the files in the new user's home directory in the net of ownership to the temporary user. I then logged in as the new user on the netbook and lo and behold, my customized color scheme, icons, configuration...all of it...popped up. I checked that my files were intact and happily found that they were.
Next I deleted the old home directory by changing to /home and running "sudo rm -fr username" as well as removing the user from the user management GUI (which just disables the user; home directory is left intact.)
Then I went back to the command line and ran "adduser --encrypt-home username" to create that username again. I verified that /home/.encryptfs now had a home directory for that user then reversed my sync of directories; "sudo rsync -aP --exclude=.Private --exclude=Private --exclude=.ecryptfs /home/tempusername/ /home/username", followed by a "sudo chown -R username:username *" and "sudo chown -R username:username .*" from within username's home directory.
Once the sync was complete I logged in on the netbook again and my desktop once again popped up to greet me! Yay!
I then deleted the tempusername from the Users and Groups utility and deleted the subdirectory for TempUsername from /home and /home/.encryptfs; the last one is the actual home directory, where the encrypted files are kept. The "home" directory directly under /home is a mountpoint.
To sum it up, what I ended up doing was creating a new user with an encrypted home directory, copying my data there, then deleting my username and username's home directory and rebuilding it by creating a new user with my old username's name and copying my home directory contents *back* over to the newer username that I just created.
Now when I log in it's using eCryptFS to protect my home directory. Is it particularly user friendly? Not in my opinion. No end user is going to want to sit down and create a "temporary user" to hold data, delete then recreate their username so it will be encrypted.
There was also no built-in way to scrub slack space; my files were deleted, but they're still recoverable to disk utilities. In order to truly delete that old data you need to overwrite the "cleared" space a few times with nonsense data. Over time those files will be naturally erased as I use the computer and other data is added and removed, and without a special utility I'll have to rely on that.
A second problem is that the EEE PC uses a form of flash for storage, like an internal USB thumb drive. From what I understand the cells used to hold the information have a limited "write" lifecycle. The more you write to them, the sooner they'll fail, so controllers use algorithms to write to random spots on the drive to minimise wear on the cells. Running a scrub operation to overwrite the disk spots (and thus make my old data irretrievable) can wear more on the drive and there's no guarantee it's going to actually write where it needs to write to hide old data. Then again, I'm not a storage technology expert, so I don't know if there's a different mechanism at work here or not.
Overall the netbook encryption was more manual and difficult a process than it was on the Mac. If it weren't for my own experience in using Linux, I'd not have been able to easily do it. Even the encrypted home directory feature is not fully advertised in the Ubuntu installer; it's more of a stealth feature being tested internally and by advanced users worried about privacy. This is evident in the fact that to even create the encrypted home directory you have to add the user via the command line since the GUI user manager doesn't have the option. No doubt the feature will appear in a later version of Ubuntu. It'll be interesting to see what the next netbook remix version will bring in options for data protection should my netbook get stolen...
I Fight For The Users
5 months ago
Posts
No comments:
Post a Comment