2020-07-26 21:21:04 |
Redsandro |
description |
Home encryption using ecryptfs was removed in Ubuntu 18.04 for reasons. Full disk encryption was recommended as an alternative.
Not everyone agrees that encrypting the entire disk is the best alternative. Some prefer a more lightweight solution. Others have families and like to share a laptop, perhaps even with an unprivileged guest account, and family members want to encrypt their home with a personal password.
For some, full disk encryption is unwanted because of reasons. Linux Mint 19, based on Ubuntu 18.04, re-introduced home encryption using ecryptfs because users wanted it.
Can we re-introduce home encryption, this time using fscrypt? Not only was this suggested (way prematurely) by the Ubuntu 18.04 release notes, it's also nearing completion with final patches scheduled for Kernel 5.4. It would be beneficial if we could get this as an option for Ubuntu 20.04 LTS.
Resources:
Encrypted home with fscrypt
https://askubuntu.com/a/1031509/40475
Kernel patches for fs keyring
https://git.kernel.org/pub/scm/fs/fscrypt/fscrypt.git/log/
Key managemekt fixes in fscrypt tools
https://github.com/ebiggers/fscrypt/commits/fscrypt-key-mgmt-improvements |
Home encryption using ecryptfs was removed in Ubuntu 18.04 for reasons. Full disk encryption was recommended as an alternative, and set as the one-size-fits-all solution in ubiquity.
Not everyone agrees that encrypting the entire disk is the best alternative. Some prefer a more lightweight solution. Others have families and like to share a laptop, perhaps even with an unprivileged password-less guest account, and family members want to encrypt their home with a personal password.
Can we re-introduce (an option to choose) home encryption using fscrypt? Not only was this suggested (prematurely) by the Ubuntu 18.04 release notes, it's also feature-complete now with v2 kernel encryption policy patches merged in kernel 5.4, which is the default kernel on Ubuntu 20.04 LTS.
Setup
-----
Steps that would need to be scripted in ubiquity are as simple as:
```
apt install fscrypt libpam-fscrypt
fscrypt setup
fscrypt setup /
fscrypt setup /home ## only if home is on a separate partition
fscrypt encrypt /home/$USERNAME
```
For the rest you can probably re-use the ubiquity widgets and detection code from the ecryptfs days.
Keep in mind that the fscrypt packages on the Ubuntu repositories are outdated. See: https://bugs.launchpad.net/ubuntu/+source/fscrypt/+bug/1882993
Resources
---------
Fscrypt ext4 native encryption documented on Kernel.org
https://www.kernel.org/doc/html/v5.4/filesystems/fscrypt.html
Build instructions
https://github.com/ebiggers/fscrypt#fscrypt-
Fscrypt on Arch Linux
https://wiki.archlinux.org/index.php/Fscrypt |
|