Feature changed by: David Nielsen (DavidNielsen) Feature #312258, revision 2 Title: Ubuntu style encrypted home directories openSUSE Distribution: Unconfirmed Priority Requester: Desirable Requested by: David Nielsen (davidnielsen) Partner organization: openSUSE.org Description: Ubuntu has a very neat and useful implementation of encryption for users. Using ecryptfs they allow for each user to have his/her data encrypted without requiring one master password being entered at boot - time. It is unloed along with your regular login making it entirely + time. It is unlocked along with your regular login making it entirely seamless. It would be nice to see similar functionality easily available when creating users in openSUSE. -- openSUSE Feature: https://features.opensuse.org/312258

Feature changed by: Ned Ulbricht (ned_ulbricht) Feature #312258, revision 5 Title: Ubuntu style encrypted home directories openSUSE Distribution: Unconfirmed Priority Requester: Desirable Requested by: David Nielsen (davidnielsen) Partner organization: openSUSE.org Description: Ubuntu has a very neat and useful implementation of encryption for users. Using ecryptfs they allow for each user to have his/her data encrypted without requiring one master password being entered at boot time. It is unlocked along with your regular login making it entirely seamless. It would be nice to see similar functionality easily available when creating users in openSUSE. Discussion: #1: Ralph Ulrich (ulenrich) (2011-04-26 13:05:54) I was not convinced using ecryptfs some time ago. Really large file quantities in ~user will break performance of ecryptfs. I think of a better integrated pam_mount capabilities of openSUSE at install time: Using luks extension you are able to have nearly the features of ecryptfs, but sudo users can look into all ~user. + #2: Ned Ulbricht (ned_ulbricht) (2011-04-26 16:15:45) + Encryption is very often seen as "bolt-on" feature. You "bolt on" an + encrypted filesystem and (gee-whiz presto!) now you've bolted on + security. + That is a classic mistake. + I think it makes most sense for openSUSE to support one or more common + use cases for encryption solutions. And a not-very-threatening threat + model. + Just for quick example: User has laptop and frequents airports and + coffeeshops. Threat is opportunistic laptop thief. Attacker is + sophisticated enough to use a canned program to scan through Windows + FAT or NTFS volume looking for logins and credit card numbers on stolen + laptops. Now we can vary that example a little bit? Supposed canned + program is upgraded to handle ext{2,3,4} filesystems. The threat is + still a relatively unsophisticated attacker, who uses off-the-shelf + tools. Potential vulnerability is still exposure of cleartext login + credentials and credit card numbers. Potential impact --while severe + enough to the victim-- is not life-threatening, and probably limited to + less than a million dollars financial loss. + I think openSUSE can settle on a preferred stock solution for a use + case/threat model (implied risk level) like that rough example. Beyond + that though, I'm worried that "bolt on" encryption "solutions" + substitute marketing features for necessary analysis. -- openSUSE Feature: https://features.opensuse.org/312258

Feature changed by: damian ivanov (damianator) Feature #312258, revision 8 Title: Ubuntu style encrypted home directories openSUSE Distribution: Unconfirmed Priority Requester: Desirable Requested by: David Nielsen (davidnielsen) Partner organization: openSUSE.org Description: Ubuntu has a very neat and useful implementation of encryption for users. Using ecryptfs they allow for each user to have his/her data encrypted without requiring one master password being entered at boot time. It is unlocked along with your regular login making it entirely seamless. It would be nice to see similar functionality easily available when creating users in openSUSE. Discussion: #1: Ralph Ulrich (ulenrich) (2011-04-26 13:05:54) I was not convinced using ecryptfs some time ago. Really large file quantities in ~user will break performance of ecryptfs. I think of a better integrated pam_mount capabilities of openSUSE at install time: Using luks extension you are able to have nearly the features of ecryptfs, but sudo users can look into all ~user. #3: Jan Engelhardt (jengelh) (2012-05-10 06:38:13) (reply to #1) Alternatively, encfs also comes to mind, which does not require keeping around a non-shrinkable crypto container. (pam_mount suggests that.) #2: Ned Ulbricht (ned_ulbricht) (2011-04-26 16:15:45) Encryption is very often seen as "bolt-on" feature. You "bolt on" an encrypted filesystem and (gee-whiz presto!) now you've bolted on security. That is a classic mistake. I think it makes most sense for openSUSE to support one or more common use cases for encryption solutions. And a not-very-threatening threat model. Just for quick example: User has laptop and frequents airports and coffeeshops. Threat is opportunistic laptop thief. Attacker is sophisticated enough to use a canned program to scan through Windows FAT or NTFS volume looking for logins and credit card numbers on stolen laptops. Now we can vary that example a little bit? Supposed canned program is upgraded to handle ext{2,3,4} filesystems. The threat is still a relatively unsophisticated attacker, who uses off-the-shelf tools. Potential vulnerability is still exposure of cleartext login credentials and credit card numbers. Potential impact --while severe enough to the victim-- is not life-threatening, and probably limited to less than a million dollars financial loss. I think openSUSE can settle on a preferred stock solution for a use case/threat model (implied risk level) like that rough example. Beyond that though, I'm worried that "bolt on" encryption "solutions" substitute marketing features for necessary analysis. + #4: damian ivanov (damianator) (2012-05-24 16:12:21) + I also would like to see ecryptfs in openSUSE available at install and + user creation time -- openSUSE Feature: https://features.opensuse.org/312258

Feature changed by: Karl Cheng (qantas94heavy) Feature #312258, revision 10 Title: Ubuntu style encrypted home directories - openSUSE Distribution: Unconfirmed + openSUSE Distribution: New Priority Requester: Desirable Requested by: David Nielsen (davidnielsen) Partner organization: openSUSE.org Description: Ubuntu has a very neat and useful implementation of encryption for users. Using ecryptfs they allow for each user to have his/her data encrypted without requiring one master password being entered at boot time. It is unlocked along with your regular login making it entirely seamless. It would be nice to see similar functionality easily available when creating users in openSUSE. Discussion: #1: Ralph Ulrich (ulenrich) (2011-04-26 13:05:54) I was not convinced using ecryptfs some time ago. Really large file quantities in ~user will break performance of ecryptfs. I think of a better integrated pam_mount capabilities of openSUSE at install time: Using luks extension you are able to have nearly the features of ecryptfs, but sudo users can look into all ~user. #3: Jan Engelhardt (jengelh) (2012-05-10 06:38:13) (reply to #1) Alternatively, encfs also comes to mind, which does not require keeping around a non-shrinkable crypto container. (pam_mount suggests that.) #2: Ned Ulbricht (ned_ulbricht) (2011-04-26 16:15:45) Encryption is very often seen as "bolt-on" feature. You "bolt on" an encrypted filesystem and (gee-whiz presto!) now you've bolted on security. That is a classic mistake. I think it makes most sense for openSUSE to support one or more common use cases for encryption solutions. And a not-very-threatening threat model. Just for quick example: User has laptop and frequents airports and coffeeshops. Threat is opportunistic laptop thief. Attacker is sophisticated enough to use a canned program to scan through Windows FAT or NTFS volume looking for logins and credit card numbers on stolen laptops. Now we can vary that example a little bit? Supposed canned program is upgraded to handle ext{2,3,4} filesystems. The threat is still a relatively unsophisticated attacker, who uses off-the-shelf tools. Potential vulnerability is still exposure of cleartext login credentials and credit card numbers. Potential impact --while severe enough to the victim-- is not life-threatening, and probably limited to less than a million dollars financial loss. I think openSUSE can settle on a preferred stock solution for a use case/threat model (implied risk level) like that rough example. Beyond that though, I'm worried that "bolt on" encryption "solutions" substitute marketing features for necessary analysis. #4: damian ivanov (damianator) (2012-05-24 16:12:21) I also would like to see ecryptfs in openSUSE available at install and user creation time #5: Marcus Meissner (msmeissn) (2012-09-13 16:04:18) openSUSE 12.2 is pretty much set up for this now. The only condition required is that you install the ecryptfs-utils RPM, it will hook itself into PAM. (this is a bit an issues as pam-config puts it in the wrong place still, but in general it might work) Then set up the encrypted private directory once. -- openSUSE Feature: https://features.opensuse.org/312258

Feature changed by: Tomáš Chvátal (scarabeus_iv) Feature #312258, revision 13 Title: Ubuntu style encrypted home directories - openSUSE Distribution: New + openSUSE Distribution: Rejected by Tomáš Chvátal (scarabeus_iv) + reject reason: We don't have resources to tweak the installer for this. + Feel free to create pullrequest tho. Priority Requester: Desirable Requested by: David Nielsen (davidnielsen) Partner organization: openSUSE.org Description: Ubuntu has a very neat and useful implementation of encryption for users. Using ecryptfs they allow for each user to have his/her data encrypted without requiring one master password being entered at boot time. It is unlocked along with your regular login making it entirely seamless. It would be nice to see similar functionality easily available when creating users in openSUSE. Discussion: #1: Ralph Ulrich (ulenrich) (2011-04-26 13:05:54) I was not convinced using ecryptfs some time ago. Really large file quantities in ~user will break performance of ecryptfs. I think of a better integrated pam_mount capabilities of openSUSE at install time: Using luks extension you are able to have nearly the features of ecryptfs, but sudo users can look into all ~user. #3: Jan Engelhardt (jengelh) (2012-05-10 06:38:13) (reply to #1) Alternatively, encfs also comes to mind, which does not require keeping around a non-shrinkable crypto container. (pam_mount suggests that.) #2: Ned Ulbricht (ned_ulbricht) (2011-04-26 16:15:45) Encryption is very often seen as "bolt-on" feature. You "bolt on" an encrypted filesystem and (gee-whiz presto!) now you've bolted on security. That is a classic mistake. I think it makes most sense for openSUSE to support one or more common use cases for encryption solutions. And a not-very-threatening threat model. Just for quick example: User has laptop and frequents airports and coffeeshops. Threat is opportunistic laptop thief. Attacker is sophisticated enough to use a canned program to scan through Windows FAT or NTFS volume looking for logins and credit card numbers on stolen laptops. Now we can vary that example a little bit? Supposed canned program is upgraded to handle ext{2,3,4} filesystems. The threat is still a relatively unsophisticated attacker, who uses off-the-shelf tools. Potential vulnerability is still exposure of cleartext login credentials and credit card numbers. Potential impact --while severe enough to the victim-- is not life-threatening, and probably limited to less than a million dollars financial loss. I think openSUSE can settle on a preferred stock solution for a use case/threat model (implied risk level) like that rough example. Beyond that though, I'm worried that "bolt on" encryption "solutions" substitute marketing features for necessary analysis. #4: damian ivanov (damianator) (2012-05-24 16:12:21) I also would like to see ecryptfs in openSUSE available at install and user creation time #5: Marcus Meissner (msmeissn) (2012-09-13 16:04:18) openSUSE 12.2 is pretty much set up for this now. The only condition required is that you install the ecryptfs-utils RPM, it will hook itself into PAM. (this is a bit an issues as pam-config puts it in the wrong place still, but in general it might work) Then set up the encrypted private directory once. #6: Sebastian Wagner (sebix) (2017-06-21 15:10:07) The installer also needs to support it. ecryptfs is useful for multi-user setups, LUKS is not useful in these cases -- openSUSE Feature: https://features.opensuse.org/312258