Mailinglist Archive: opensuse-features (199 mails)

< Previous Next >
[openFATE 312258] Ubuntu style encrypted home directories
Feature changed by: Sebastian Wagner (sebix)
Feature #312258, revision 11
Title: Ubuntu style encrypted home directories

openSUSE Distribution: New
Priority
Requester: Desirable

Requested by: David Nielsen (davidnielsen)
Partner organization: openSUSE.org

Description:
Ubuntu has a very neat and useful implementation of encryption for
users. Using ecryptfs they allow for each user to have his/her data
encrypted without requiring one master password being entered at boot
time. It is unlocked along with your regular login making it entirely
seamless.
It would be nice to see similar functionality easily available when
creating users in openSUSE.

Discussion:
#1: Ralph Ulrich (ulenrich) (2011-04-26 13:05:54)
I was not convinced using ecryptfs some time ago. Really large file
quantities in ~user will break performance of ecryptfs. I think of a
better integrated pam_mount capabilities of openSUSE at install time:
Using luks extension you are able to have nearly the features of
ecryptfs, but sudo users can look into all ~user.

#3: Jan Engelhardt (jengelh) (2012-05-10 06:38:13) (reply to #1)
Alternatively, encfs also comes to mind, which does not require keeping
around a non-shrinkable crypto container. (pam_mount suggests that.)

#2: Ned Ulbricht (ned_ulbricht) (2011-04-26 16:15:45)
Encryption is very often seen as "bolt-on" feature. You "bolt on" an
encrypted filesystem and (gee-whiz presto!) now you've bolted on
security.
That is a classic mistake.
I think it makes most sense for openSUSE to support one or more common
use cases for encryption solutions. And a not-very-threatening threat
model.
Just for quick example: User has laptop and frequents airports and
coffeeshops. Threat is opportunistic laptop thief. Attacker is
sophisticated enough to use a canned program to scan through Windows
FAT or NTFS volume looking for logins and credit card numbers on stolen
laptops. Now we can vary that example a little bit? Supposed canned
program is upgraded to handle ext{2,3,4} filesystems. The threat is
still a relatively unsophisticated attacker, who uses off-the-shelf
tools. Potential vulnerability is still exposure of cleartext login
credentials and credit card numbers. Potential impact --while severe
enough to the victim-- is not life-threatening, and probably limited to
less than a million dollars financial loss.
I think openSUSE can settle on a preferred stock solution for a use
case/threat model (implied risk level) like that rough example. Beyond
that though, I'm worried that "bolt on" encryption "solutions"
substitute marketing features for necessary analysis.

#4: damian ivanov (damianator) (2012-05-24 16:12:21)
I also would like to see ecryptfs in openSUSE available at install and
user creation time

#5: Marcus Meissner (msmeissn) (2012-09-13 16:04:18)
openSUSE 12.2 is pretty much set up for this now. The only condition
required is that you install the ecryptfs-utils RPM, it will hook
itself into PAM. (this is a bit an issues as pam-config puts it in the
wrong place still, but in general it might work)
Then set up the encrypted private directory once.

+ #6: Sebastian Wagner (sebix) (2017-06-21 15:10:07)
+ The installer also needs to support it.
+ ecryptfs is useful for multi-user setups, LUKS is not useful in these
+ cases




--
openSUSE Feature:
https://features.opensuse.org/312258

< Previous Next >
This Thread
References