Ubuntu

Improve support for encrypted file systems

Registered by Martin Pitt on 2007-10-19

The Gutsy Gibbon Alternate installer introduced the possiblity to configure encrypted devices (with cryptsetup/LUKS and dm-crypt) and offers a standard partman recipe ("Use entire disk with encryption"). For Hardy we want to review how we can improve this, in particular:

* Provide support for it in ubiquity
* Offer encryption support for autoresizing and "automatically partition free space" modes, too.
* Consider support for key files (on USB sticks, etc) instead of/in addition to passphrases.

Read the full specification

Blueprint information

Status:: Complete

Approver:: Scott James Remnant (Canonical)

Priority:: Low

Drafter:: Martin Pitt

Direction:: Needs approval

Assignee:: Evan

Definition:: Superseded

Series goal:: Accepted for hardy

Implementation:: Not started

Milestone target:: None

Completed by: Martin Pitt on 2008-12-15

Related branches

Related bugs

Bug #110970: When mounting encrypted drives the password should be asked for graphically and not in text mode	Fix Released
Bug #139057: Should try given password for next partition	Triaged
Bug #155987: Installer doesn't support mounting existing encryption volumes	Triaged
Bug #175161: No support for LUKS volumes	Fix Released
Bug #245399: Desktop installer should have an encrypted LVM option	Fix Released
Bug #432785: add support to ecryptfs-setup-swap for keyed hibernation	Won't Fix

Sprints

Whiteboard

pitti, 2007-11-13: Evan, Colin, Reinhard, can you please read the current spec and give some review feedback? TIA
evand, 2007-11-13: Looks good wrt Ubiquity.
siretart, 2007-11-16: looks great!
keybuk, 2007-11-20: Pending Approval - want colin to have a quick read first
kamion, 2007-11-20: I'm good
keybuk, 2007-11-22: Changed assignee to evan since the bulk of the work will be his, and it makes more sense for him to get pitti to fill in the other bits and chase -- than it does for pitti to chase evan
nigelr 2008-01-20: The current installer doesn't support AES-LRW mode, which is probably the best scheme available at the moment. Any methods for setting up encryption during install should offer this as the (default) option.
RvD 2008-02-03: Actually, LRW falls back to ECB-'security' when the encryption key is stored plain on the partition encrypted with it (crypto-swap with working hibernate)
Thus, AES-XTS is the new secure standard - and implemented in 2.6.24, too.

2008-12-15 pitti: obsoleted by encrypted-home-directory, ecryptfs is more suitable on desktops.
2012-06-28 xnox: obsoleted by ongoing work on LUKS/LVM ubiquity spec, if there is anything else left here, open wishlist bugs against correct packages.

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

Andre Hook

Artem Popov

Chad Sellers

Chris Jones

Christian Schürer-Waldheim

Colin Watson

Emilio Pozuelo Monfort

Evan

Florent

Guido Trotter

Hendrik van Antwerpen

Jamie Strandboge

Jeff Bailey

Joe Jaxx

Kees Cook

Khashayar Naderehvandi

kiu

Kolargol00

Lucas

Luka Renko

Luke Yelavich

Martin Albisetti

Matt T. Proud

Matti Lindell

Nicolas DERIVE

Nigel Roberts

Nikolaus Rath

Ove Risberg

Reinhard Tartler

Robert Collins

Sebastian Heinlein

Shadows_Friend

Steve Langasek

Tobias Bradtke

Tom Ellis

Tony Yarusso

Torsten Spindler

William Grant