Encrypted Ubuntu One
Disclaimer
This is known to work in Oneiric (11.10), earlier versions don’t work due to inotify bug.
This document is provided AS IS. The author assumes no liability in case any sort of data loss occurs, but will be very interested in hearing about such case. As always, before panicking, check the Trash directory. Since Natty Ubuntu One deletes files to Trash instead of wiping them from the file system.
Update: The fix for this issue is in Ubuntu 12.04 so no PPA is needed now.
About encryption
A lot of Ubuntu One users were asking about the security of Ubuntu One. The official answer is available at the Ubuntu One FAQ but you need to know that although the data is sent over encrypted connections between the servers and clients, it is not encrypted when stored. This allows you to publish the files, share them with other users and access the data via the REST API.
This may not be obvious but when you ask the installer to encrypt your /home directory all applications that are running within the context of your user (such as the browser, e-mail client, or any syncing software) have the access to unencrypted versions of the files. This protection comes handy when you lose the access to the computer hard drive (e.g. when stolen or HDD is sent out to be replaced/repaired) but anything you run under your account will work with decrypted files.
It is possible to use some sort of encrypted containers, such as TrueCrypt. The drawback of this method is that you will need to upload the whole container even if you have changed just one byte. Even if Ubuntu One supported delta uploads, changing some subset of data in a really secure container would have affected quite a large area, in order to conceal the actual location of the changed bytes.
Another way is to encrypt each file separately and upload the changes as they are happening by monitoring the files. This creates two copies of the files, one is encrypted and another is not. See this example for such solution involving REST API.
But I wanted to use the tools already available in Ubuntu. The aforementioned technology of /home directory encryption is based on eCryptFS – a layered encrypted file system implemented in the kernel itself. I wanted to be able to share some subset of files as well as keeping some of them private to my machines (while synced to the cloud)
Unfortunately, my first attempt to use eCryptFS-driven ~/.Private UDF (User Designated Folder) was not successful – the kernel was not sending inotify events (LP:773260) to the subscribers which meant that I needed to ask the synchronization software to rescan the files every time I modified the files. The kernel issue has been fixed but now Ubuntu One gets notified about changes in encrypted directories and it does not expect this type of notification (LP:872894)
Fortunately, a simple patch for Ubuntu One is sufficient to enable correct interaction with encrypted directories and I have created a PPA (ppa:rye/u1lp872894) which contains the forks of currently released Ubuntu One client with this patch applied.
Contrary to how it looks, eCryptFS does not use your account password to decrypt your data. In this case, you would have needed to re-encrypt all the files every time you’d change your password. Instead, your account password is used to encrypt and decrypt the real mount pass phrase, stored in ~/.ecryptfs/wrapped-passphrase.
You want to be able to decrypt your data later on (possibly) another machine, so you will need to know the pass phrase. When you set up private ecryptfs directory, you will be prompted for it or you can set it manually. In any case you will be able to decrypt it using ecryptfs-unwrap-passphrase application. Write the key down somewhere in a secure place – we will need that.
Setting it up
In order to set up a private directory, you will just need to run the following:
$ ecryptfs-setup-private Enter your login passphrase: <type your account password> Enter your mount passphrase [leave blank to generate one]: <just Enter> ************************************************************************ YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION. ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME. ************************************************************************ Done configuring. Testing mount/write/umount/read... Inserted auth tok with sig [de5cb8a79d96b6e4] into the user session keyring Inserted auth tok with sig [87a5b4a8514fdcc9] into the user session keyring Inserted auth tok with sig [de5cb8a79d96b6e4] into the user session keyring Inserted auth tok with sig [87a5b4a8514fdcc9] into the user session keyring Testing succeeded. Logout, and log back in to begin using your encrypted directory.
So, now we have ~/.Private directory set up with a random pass phrase. Let’s find out what the pass phrase really is (as the ALL CAPS warning above tells us):
$ ecryptfs-unwrap-passphrase Passphrase: <type your account password> d5da6e5eaf98d8f2b0a481995710b57e
The d5da6e5eaf98d8f2b0a481995710b57e
string is our real mount pass phrase
in this case. Now you are ready to ask Ubuntu One to enable syncing of
~/.Private folder:
Now verify that the folder has been created, make sure that you have ubuntuone-client version 3.0 (or 2.0.0-0ubuntu2.2+lp872894 installed from the PPA) and restart the client
Put some file to your ~/Private folder – by default ecryptfs encrypts file
names too, so when the sync completes, you will find something like
ECRYPTFS_FNEK_ENCRYPTED.FXYl0wXfbLRRD-S7MDeYn8SYOWt.3exR-KbLnhYMpLY8ZwrgYH6xb8MBtBSjZQS9Hfvjo5BYEvrowNc-
in ~/.Private folder and on the web interface at https://one.ubuntu.com/files/.
Multiple machines
OK, now when files are syncing, you can set up Private directory on another Ubuntu machine and you will be able to access the encrypted files created on another machine.
I have to say that this does not work extremely well when you edit the same file on both machines. eCryptFS seems to have some caching in place that prevents the updated lower file from being immediately available on another machine. If you use the machines sequentially (e.g. home machine and laptop you are carrying around) then this should not be a problem.
So, make sure that another machine is also running the version that has the fix for eCryptFS and set up the private folder:
$ ecryptfs-setup-private Enter your login passphrase: <account password> Enter your mount passphrase [leave blank to generate one]: <passphrase from first computer> Enter your mount passphrase (again): <passphrase from first computer again> ************************************************************************ YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION. ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME. ************************************************************************ Done configuring. Testing mount/write/umount/read... Inserted auth tok with sig [2c007b978eb65d67] into the user session keyring Inserted auth tok with sig [b899c2e5fcb355f2] into the user session keyring Inserted auth tok with sig [2c007b978eb65d67] into the user session keyring Inserted auth tok with sig [b899c2e5fcb355f2] into the user session keyring Testing succeeded. Logout, and log back in to begin using your encrypted directory.
Good, now subscribe to ~/.Private folder using ubuntuone-control-panel
or
u1sdtool
(--list-folders
to find out folder-id
followed by
--subscribe-folder=folder-id
).
Restart Ubuntu One client and you should start getting the files you put to first ~/.Private folder and when you visit ~/Private folder and you will be able to work with unencrypted files. You might need to refresh the ~/Private folder for the changes to be visible, this is a limitation of eCryptFS.
Windows support
To put it simple, this will not work with Windows, Android or any other Ubuntu One client for any OS other than Linux with eCryptFS support. Windows does not support eCryptFS mounts and there appears to be no plans for this. There may be different solutions with similar approach on Windows. If you happen to know one, feel free to leave the comment.
The web interface and Android file sync client will show encrypted file names and will download encrypted content. I am not aware of any eCryptFS-decrypting solutions for Android.
Thanks
After all, this blog post does not reveal anything new. The idea to use eCryptFS with Ubuntu One is quite common. The only value this long post adds is that it gives the address of the PPA.