Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.

Summary

We already have the necessary components to set up encrypted partitions (including /). We describe the goals for Ubuntu and the remaining work that needs to be done to get convenient support for those in the installer.

Release Note

Both the graphical and the alternate installer now support encrypting the hard disk. This provides reliable data security (limited by the strength of the chosen password, of course) for machines which are switched off, like stolen or raided equipment.

Rationale

Computers have become ubiquituous also for storing all kinds of personal and business relevant data on them. Especially laptops are a common target for swag. Similarly, people might be concerned about securing their servers in case they get raided. This is subject to the relevant country's legal status, of course.

Use Cases

Assumptions

This specification proposes encrypted block devices, in contrast to encrypted file systems or solutions which en/decrypt single files or directories on the fly. There are much better developed and tested existing technologies for block devices and they are transparent to the entire system, thus do not need any particular adaptions to desktop software.

This is also limited to the initial configuration when installing Ubuntu. Other scenarios, like converting existing systems to encrypted partitions, or providing an application for the less common configuration tasks should be handled in future specifications.

Encrypted removable devices have been supported in Ubuntu since 5.04 and thus are not covered here.

Design

Technology

The Linux kernel offers dm-crypt for handling encrypted block devices. However, this does not provide any metadata about the underlying partition, such as a UUID, a magic that this is an encrypted partition in the first place, the encryption algorithm used, or a keyring. This kind of metadata is provided by the LUKS headers, implemented in our cryptsetup. With this format, we retain the correct handling of such partitions with udev, hal, gnome-mount, etc.

Partitioning schema in the installer

The installer only offers one default partitioning schema (swap and a single large partition for everything). It is impossible to anticipate reasonable sizes of several partitions, since that depends on what the computer will be used for. For the same reason we will only offer a similar default scheme Use entire disk with encryption with the following layout:

Rationale:

The manual partitioner should offer both LUKS and plain dm-crypt (with keeping the metadata in /etc/crypttab). Debian's current partman already offers everything we need for that.

Key management

The installer asks for a passphrase for each of the configured LUKS/dm-crypt partitions. At boot, the user is asked for the passphrase to set up the decrypted dm device, and booting continues without any further system part needing to care about encrypted partitions.

Implementation

Installer changes

Package changes

Migration

Since an on-the-fly migration to encrypted partition is not reliable and always needs a backup, we will currently not offer a migration tool. The currently recommended way is to backup your data and reinstall from scratch. (This might get easier in the future, see "Outstanding Issues").

Test/Demo Plan

To be added when the features are implemented.

Outstanding Issues

BoF agenda and discussion


CategorySpec

EncryptedFilesystemsInstaller (last edited 2008-08-06 16:21:59 by localhost)