Thursday, August 4, 2011

Protecting your files in Ubuntu Linux - encryption

I always use Truecrypt to protect my files in Windows.  When I moved to dual boot with Ubuntu, naturally I used Truecrypt too.  The lovely thing is that I can even use the same encrypted profile for Firefox.  Only that extensions and plug-ins using native compiled code will not work.  But those are not much.

Now that I didn't return to Windows for months, I'm was looking for something better in Linux.  And yes, ecryptfs for Ubuntu.

Truecrypt is a block device.  You give it a drive, partition or file, it does whatever it likes, and implement it's file system on it, though Tc implements the same files system such as FAT or NTFS.

I never wanted to encrypt whole system, too risky if I didn't buy a new computer and start from fresh.  Partitions are too troublesome because I had too many inherited from hush jobs of upgrading the hard drives a couple of times.  So I use only large files as containers.

From a few to 30 Gb files, they fill up sooner or later.  You end up with a couple of large files where you can fit them in, or you have to make bigger and bigger drives and setup things all over.

Truecrypt turns out to be quite reliable.  I had crashes because the encrypted profiles I am constantly using.  The file container became unreadable.  Luckily Tc comes with it's own fix disk utility, very much like that in Windows.  So I can fix my old FAT and NTFS containers even in Ubuntu.  I used old FAT for a reason because they are old and contain less traces.

ecryptfs is integrated into Ubuntu, which comes with a Private directory that is not initiated.  All you have to do is type in a terminal:

ecryptfs-setup-private

I didn't remember if I used this but here it says it will ask you for your login password, and generate a passphrase for you if you leave it blank.

That is it.  After you login in (with password), automatically you can access your encrypted files in Private as if they are unencrypted files.  When you logout or power down, nobody can in theory access your files without your passphrase.

There are tools to migrate ecryptfs to your whole home directory and even the whole system.  But it looks too risky for me.  Not that I know ecryptfs is risky.  They way I do it will be risky.  You will never know after upgrade from hard drive to hard drive and OS to OS.

The advantage of ecryptfs is that it's not a block device.  It's a layer on top of the file system.  So you do not need to allocate space for the container.  the Private directory will grow just as any other directories.

Another critical feature of ec is that you can backup the encrypted files in .Private.  This is huge for incremental backups using existing tools.  Using Truecrypt, you have to copy the whole 30 Gb container everyday.   Or mount the original container and then a backup container and then backup incrementally.  Then unmount both after.  In Linux you can just about do it without operator intervention, that is, while you are sleeping.  But storing your passphrase somewhere in some form opens up chances for attacks.

The bad thing of Truecrypt is that you have to enter your passphrase every time you mount.  So it's at least two passwords, one for login and one for Tc.  It is even more troublesome in Linux.  Because mounting is a privileged action, you need to enter your login password again every time.  So there is less incentive in dismounting and mounting secret containers repeatedly.  For ecryptfs, you only need to login once, the rest is automatic.

Encrypt Arbitrary Directory

Now of course you want to use folders other than Private in your home directory.  Say I want to store something encrypted in my massive external drive.  First of all, you may have the impression that ecryptfs only works on Linux file systems.  I'm sure my external drive comes with some Windows format like NTFS, which is compatible with Linux, with or without ecryptfs.  Though they don't call it NTFS in Linux.

The bad is that if you use any folders other than Private, mounting during login is not automatic.  You can do it automatically but you probably don't want to.  And it's conceptually simple to mount manually and dismount whenever you want to.

To setup any folders, it is:

mkdir /home/myusername/secret
mkdir /home/muusername/.secret
chmod 700 /home/username/secret

You can use any folder on any drive with Linux compatible file formats.  To mount it:

sudo mount -t ecryptfs /home/myusername/.secret /home/myusername/secret

ecryptfs will ask you for a passphrase.  Use defaults encryption parameters if possible, otherwise you have to remember it or be screwed if you don't remember them.

It will ask you for a passphrase for the filename encryption.  The default is derived from the mount passphrase, something to do with signatures.  So if you don't enter anything, all you ever need to recover data is your mount passphrase.

The mounting command is the same for the first time or not.  So next time you will want to put the command in a script instead of entering all the parameters again:

sudo mount -t ecryptfs /home/myusername/.secete /home/myusername/secret -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,
ecryptfs_enable_filename_crypto=yes

Those are the default parameters except enable filename crypto.  If you don't encrypt the filenames sometimes it's as good as not encrypting.  Say if the filename is the official name of a song or movie, people know the content already.  It should not be difficult to proof what the encrypted content is.

To disable access to the decrypted files:

sudo umount /home/myusername/secret

You can do the same for Private without logging out.

Security

It should be noted that when the decrypted files are mounted, they are accessible to everybody according to the file system modes.  Basically it's according to

chmod ugo+rwx file/directory

That means user, group, and others can be given read write or execute access.  So you are not protected from system admin and it would be extremely hard to.  He can get you one way or another.  But it's all academic as Ubuntu is designed for personal computers and now portables and notebooks.

The only thing to worry about is malware that you may have downloaded, and execute itself with your own privilege.  It's 100 to 1 chance you get it in Linux, based on the number of users.  Also you should only install software in the list of official depositories.

File recovery

Normally, all you need is your encrypted files and your passphrase, called the mount passhrase, which is the encryption key.

For auto-mounted Private, there is a complication.  You login password is not the key.  Your mount passphrase may be entered by you or automatically generated, in which case you don't even know about it.  For automount the mount passphrase has to be stored somewhere.  It's encrypted by your login password and stored in a file called wrapped passphrase in ~/.ecryptfs

To be sure you can decrypt any files, you need to store the plain mount passphrase
somewhere.  To get the plain mount passphrase:

ecryptfs-unwrap-passphrase /home/username/.ecryptfs/wrapped-passphrase

I print out the passhrase, put it in a secure sealed envelope, under the bottom of the tray, in a fire proof lockbox.

You can copy the whole .ecryptfs directory into a USB drive, an SD card and put it in a safe place.

Even with the complications, changing your login password is safe, all the other stuff are automated if you use the normal password change GUI or command. Admin can change your password but he will break the system. Without your old password, he should not be able to rewrap your mount passphrase.

Multiple passwords

If you mount the same directory with two passwords, you should get two sets of encrypted files.  It somewhat fit my two password three type of containers system, depending on whether they need to be backuped or not.  So I can put files together that needed to be backed up.  So there's two password, two containers, but still three types of files.

Tips: start from empty folders and copy things into it gradually once you are familiar with it.  For example, if you type in a slightly wrong password by mistake, you will think you screw up everything.

Protect swap space

Now it is a total solution as ecryptfs can protect swap space too.  Though by nature hibernate and that sort of thing that need disk space will not work.

When you are multitasking, applications each take a lot of memories.  For the inactive ones, their memories are swapped onto disk space to free some for other applications to use.  Because swap spaces are not encrypted if you did not install systemwise encryption, files or their fragments may appear on the swap space.

This is particularly important if you edit your active clients file everyday.  If you have some secret file to hide without accessing it for months and years, you can ignore this.

The developer now understands that you have to have some easy to use total solution, or few can use it, no matter how official it is.

You need to install something extra:
sudo apt-get install ecryptfs-utils cryptsetup

and  that's it:
sudo ecryptfs-setup-swap

You can check as in the link above that your swap space is changed and encrypted.  I did everything without any problem so far.  And didn't notice any speed penalties, except for copying movies files - that's about 7 Mb/sec on slow external disks.  Watching is no problem. 

No comments: