[liberationtech] Privacy in Ubuntu 12.10

Douglas Lucas dal at riseup.net
Thu Nov 8 11:48:43 PST 2012 

I want to chime in here to thank EFF for encouraging Ubuntu to do this
and encourage everyone who appreciates it to donate to EFF:
https://supporters.eff.org/donate I'm sure many of us have had and
continue to have the experience of wanting to nudge someone over from OS
X or Windows to GNU/Linux and LUKS full disk encryption, but the process
got roadblocked at some point because using the alternate installer to
config the partitions and all for FDE was just too much of a hassle for
parties involved. Now FDE is just a tickbox in the default installer.
How cool is that? So again, donate!

:-Douglas

On 11/08/2012 01:34 PM, Micah Lee wrote:
> On 11/08/2012 05:18 AM, Niels ten Oever wrote:
>> Dear Micah,
>>
>> Small correction to your piece: Selecting full disk encryption in the
>> installer GUI was already possible in Ubuntu 12.04.
>>
>> The explanation wasn't as clear as it is now though.
> 
> Before 12.10 the Ubuntu GUI installer only let you set up home directory
> encryption using encryptfs, which is different than full disk
> encryption. This option is still there in 12.10, and you can choose to
> use it as well as full disk encryption if you want (I can't see how it
> could help though).
> 
> With encryptfs home directory encryption, all of the individual files in
> your home folder get stored encrypted on the disk, but a lot of data
> about your files still gets leaked. The directory structure, file size,
> timestamps, etc. don't get encrypted, only the contents of the files.
> And it's also only your home directory that gets encrypted, not your
> whole disk. So for example, if you have any mysql databases on your
> computer, that data gets stored in /var/lib/mysql and therefore won't
> get encrypted. When you're not encrypting your whole hard drive, "evil
> maid" style attacks become much easier. If someone gets physical access
> to your computer for just a couple minutes, they can boot to a live cd
> and replace your /usr/bin/ssh or /usr/bin/gpg with malicious versions.
> 
> The full disk encryption that's offered in 12.10 uses luks and differs
> in many ways from encryptfs home directory encryption. It creates full
> encrypted file systems, which means that no meta data about the files on
> your computer get leaked. The key that's used to unlock the luks
> partitions are encrypted with a separate passphrase that isn't your user
> password, and you have to enter this each time you boot your computer,
> which is more secure since user passwords tend to not be long passphrases.
> 
> 
> 
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
>

More information about the liberationtech mailing list