07 May 2010

User Home encryption on Ubuntu 10.04 Lucid Lynx

As I mentioned earlier, encrypting a home user's folder is ultra easy now in Ubuntu, at least for creating a new user (switching an existing user over to using an encrypted home is still pretty complicated).  Just go to Users and Groups to add a new user, making sure to click the check-box option to enable encryption.

But that's not good enough. You need to encrypt your swap partition as well, since anything in RAM could be swapped out onto the swap partition on disk and be read back at a later time.  Turns out this is easy to do in Ubuntu as well.

You'll need to install cryptsetup from the Synaptic Package Manager and of course ecryptfs must also have been installed previously as well (you'd need to have had that installed to enable encrypted user folders in the first place, but I just can't recall if that was installed as part of the standard Lucid Lynx distribution or if I had installed it myself afterwards...).

Once cryptsetup is installed, just do sudo ecryptfs-setup-swap.  Read the warning that's thrown up, it explains to you that at this time, hibernation is incompatible with encrypted swap (although suspend works fine), and indicate your agreement (or not to cancel the procedure).

You don't need to have logged out or anything.  This command will work on its own, or at least it did for me without any special prior setting up.  Once that's done, you can verify it by checking less /etc/fstab to see if the original swap disk setup had been commented out and a new encrypted disk is set up for swap in its place.

Once that's done, you should look into securely erasing the free space on the swap and the root volumes to ensure anything sensitive that's been "spilled" out of encryption containment in the past gets cleaned up now.  You'll need the secure-delete package of tools, specifically sfill and sswap.  See this answer for details.

[Edit: Actually, I recommend looking into securely erasing the free space on swap before encrypting it.  Would've made the process just a tad bit more convenient.]

No comments: