Home_greyopenFATE - openSUSE feature tracking > #312258
Dashboard | Search | Sign up | Login

Please login or register to be able to edit or vote this feature.

Ubuntu style encrypted home directories

Feature state

openSUSE Distribution
Rejected Information

Description

Ubuntu has a very neat and useful implementation of encryption for users. Using ecryptfs they allow for each user to have his/her data encrypted without requiring one master password being entered at boot time. It is unlocked along with your regular login making it entirely seamless.

It would be nice to see similar functionality easily available when creating users in openSUSE.

Discussion


icons/user_comment.png R. U. wrote: (6 years ago)

I was not convinced using ecryptfs some time ago. Really large file quantities in ~user will break performance of ecryptfs. I think of a better integrated pam_mount capabilities of openSUSE at install time: Using luks extension you are able to have nearly the features of ecryptfs, but sudo users can look into all ~user.

icons/user_comment.png J. E. wrote: (5 years ago)

Alternatively, encfs also comes to mind, which does not require keeping around a non-shrinkable crypto container. (pam_mount suggests that.)

icons/user_comment.png N. U. wrote: (6 years ago)

Encryption is very often seen as "bolt-on" feature. You "bolt on" an encrypted filesystem and (gee-whiz presto!) now you've bolted on security.

That is a classic mistake.

I think it makes most sense for openSUSE to support one or more common use cases for encryption solutions. And a not-very-threatening threat model.

Just for quick example: User has laptop and frequents airports and coffeeshops. Threat is opportunistic laptop thief. Attacker is sophisticated enough to use a canned program to scan through Windows FAT or NTFS volume looking for logins and credit card numbers on stolen laptops. Now we can vary that example a little bit? Supposed canned program is upgraded to handle ext{2,3,4} filesystems. The threat is still a relatively unsophisticated attacker, who uses off-the-shelf tools. Potential vulnerability is still exposure of cleartext login credentials and credit card numbers. Potential impact --while severe enough to the victim-- is not life-threatening, and probably limited to less than a million dollars financial loss.

I think openSUSE can settle on a preferred stock solution for a use case/threat model (implied risk level) like that rough example. Beyond that though, I'm worried that "bolt on" encryption "solutions" substitute marketing features for necessary analysis.

icons/user_comment.png d. i. wrote: (5 years ago)

I also would like to see ecryptfs in openSUSE available at install and user creation time

icons/user_comment.png M. M. wrote: (5 years ago)

openSUSE 12.2 is pretty much set up for this now.
The only condition required is that you install the ecryptfs-utils RPM,
it will hook itself into PAM. (this is a bit an issues as pam-config puts it in the wrong place still, but in general it might work)

Then set up the encrypted private directory once.

icons/user_comment.png S. W. wrote: (5 months ago)

The installer also needs to support it.

ecryptfs is useful for multi-user setups, LUKS is not useful in these cases

Last change: 5 months ago
Voting
Score: 11
  • Negative: 4
  • Neutral: 1
  • Positive: 15
Feature Export
Application-xmlXML   Text-x-logPlaintext   PrinterPrint