UserDataEncryption
(DRAFT)
Created: 2014-11-05
Created by: Jamie Strandboge
Contributors: Jamie Strandboge, Marc Deslauriers, Tyler Hicks, John Johansen
Packages affected: linux, ecryptfs-utils, apparmor, unity8, etc
Status: Started
Introduction
As part of ProtectingUserData, Ubuntu plans to support encrypting data to protect against offline attacks (privacy leaks and theft). This will be implemented using eCryptfs.
"eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem for Linux" (man 7 ecryptfs). eCryptfs is a mature and flexible technology that has been used on Ubuntu Desktop and Server and other distributions for years.
Requirements
General Purpose
The technology selected should be able to work under the converged device strategy: phone, tablet, desktop and TV.
Secure
The technology shall focus on protecting user data (as opposed to system data) against theft and privacy leaks. It shall provide confidentiality. It may provide integrity.
The technology selected should be capable of providing strong protection against offline attacks (ie, when the device is off or the user is not logged in).
In general, protection against online attacks (ie, when the user is logged in and the data decrypted) is out of scope. However, reasonable protections should be in place to prevent encryption key theft by, for example, AppStore applications.
Opt-in
User data encryption should be opt-in for the first iteration, which later iterations possibly using it by default.
Extendability
The technology selected should be capable of being extended for cryptographic hardware support or new requirements.
Reliability
The technology used should be reliable and should not corrupt user data.
Performance
The technology used should not have a noticable impact on normal workloads. Normal workloads are those that do not have extremely high IO demands.
Simplicity
The technology used should not impose significant obstacles to the user and be transparent to applications.
Supports multi-user/user profiles
To properly support the converged device strategy, the chosen technology should support multi-user environments and user profiles (eg, 'work' and 'personal').
Why eCryptfs?
MORE HERE
Implementation
Initially
- encrypted HOME
- PAM
- swap
- greeter support
- User setup (opt-in)
AppArmor
- kernel keyring mediation
- policy to deny eCryptfs files and lower filesystem
Future
- Plugin support for Cryptographic hardware
- Migration
Concerns
- Software-only
- MORE HERE
- One password (cumbersome or insecure)
Future: Two passwords (optional, strong login and weaker lockscreen, Usability issues)
- /tmp/files (TMPDIR set to /run for click apps)
Questions
- Why not not dm-crypt?
- TODO
- Why not full disk encryption?
- TODO
- Why not the new ext4 native encryption?
- TODO
- Hardware support?
- TODO (reference above)
Conclusion
eCryptfs is a capable and proven technology in Ubuntu and elsewhere to encrypt user data. It is flexible, ready to use now, has reasonable performance characteristics and allows an upgrade to ext4 native encryption if/when that becomes available. When completed, Ubuntu will have a usable and comprehensive encryption solution.
SecurityTeam/Specifications/UserDataEncryption (last edited 2014-11-12 20:59:32 by jdstrand)