ServerKarmicEncryptedSwap

Launchpad Entry: server-karmic-encrypted-swap-as-an-option
Created: 2009-06-03
Contributors: EvanDandrea, DustinKirkland
Packages affected: ecryptfs-utils, ubiquity, debian-installer

Summary

Ubuntu installations with Home Directory Encryption selected should encrypt swap space and disable hibernation capabilities.

Release Note

Ubuntu now provides support for encrypted home directories as part of the desktop installation.

Rationale

Security conscious users want to encrypt their home directories to guard against information theft in the event their computer is lost or stolen. We provided this option during the development of Ubuntu 9.04, but the security team asked us to remove it as without encrypted swap, it was possible for the private keys to be stored in the clear.

User stories

Joseph leaves his laptop in a conference room at UDS and it is stolen. This laptop had his private GPG key on it.

Assumptions

Design

The existing design for this option in ubiquity will be used.

Implementation

Integrate ecryptfs-setup-swap into the installer, fixing the bug causing it to only support a single swap device in the process.
Change the default value of user-setup/encrypt-home to true.
Disable hibernation when encrypted swap is set using the same method that wubi uses.
Document that hibernation is disabled when encrypted swap is set.

Test/Demo Plan

Unresolved issues

Hibernation could technically be done, but the suggested implementations all had issues preventing them from being used, so it is deferred until someone steps up to solve the problem of hibernation with encrypted swap.

UDS Raw Notes

prevent leakage of encrypted data when writing data to swap
main use case: hibernate
karmic suggested implementation:
1. encrypted home in installer -> setup swap encryption (ecryptfs-setup-swap), document hibernation incompatibility
2. randomly generate key on boot (no passphrase wrapping)
3. open wishlist bug for hibernation resume support
  - algorithm: wrap randomly generated password with PAM system passphrase on login (for multiple users), store in LUKS keyslot
  - teach resume scripts to prompt for user's wrapping passphrase on resume, decrypt swap, resume
  - hard, so not deliverable for karmic
possible regressions and workarounds:
- /tmp contents are still viewable, worked around in short term by using tmpfs for /tmp when system has some amount X of RAM, worked around in long term by moving /tmp into ~/.tmp
implementation:
- need UI changes to Applications> Accessories> Passwords and Encryption Keys
additional notes:
- see who is using encrypted home and encrypted swap

CategorySpec

ServerKarmicEncryptedSwap (last edited 2009-06-18 16:03:56 by cpc4-slam5-2-0-cust9)

Ubuntu Wiki