ecryptfs-devel team mailing list archive

Thread
Date

Re: [Ecryptfs-users] Writing a script for encrypting an user's home

To: "Li, Yan" <yan.i.li@xxxxxxxxx>
From: Dustin Kirkland <kirkland@xxxxxxxxxxxxx>
Date: Tue, 5 Jan 2010 09:46:16 -0600
Cc: ecryptfs-users@xxxxxxxxxxxxxxxxxxx, ecryptfs-devel@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20100105071859.GA19368@sage.bj.intel.com>
Sender: dustin.kirkland@xxxxxxxxx

On Tue, Jan 5, 2010 at 1:18 AM, Li, Yan <yan.i.li@xxxxxxxxx> wrote:
> Is there such a tool / script that can encrypt an user's existing
> home? With such a tool a user can choose to encrypt s/he's current
> home. My idea is that the user writes a tag somewhere and reboots the
> machine, on next boot process the tag is detected and user's home is
> encrypted before any user processes running.
>
> I can't find it and I'm writing one (in bash). Is such a script useful
> to the public? Or shall I write it in any other language that upstream
> prefer?

Hi Yan Li-

All of the instructions and commands should be clearly described here:
 * http://blog.dustinkirkland.com/2009/06/migrating-to-encrypted-home-directory.html

I would absolutely *love* a script that could do this, and would
*welcome* it into the upstream ecryptfs-utils project.

I think I would prefer it written in POSIX shell script, as all of the
operations are ultimately shell operations.  However, you could
alternatively write it in Python or C.  Those would be my preferences,
in that order (Shell, Python, C).

Now, for safety's sake, I strongly insist that the user should *not*
be logged into the system while this migration happens.  So let's call
the tool, /usr/sbin/ecryptfs-encrypt-home, for instance.  On an
installed system, it should only be run by the root user, targeted at
another user's home directory, and the root user will need to know (or
reset) the non-root-user's password, and would need to ensure that the
target user is not logged in.  It should also be usable from a LiveCD
distribution, such as the Ubuntu Desktop LiveCD.  This would be the
safest, and recommended way of doing this, in my opinion.

As for the reboot approach, I'm not too sure how that would work.  If
that's the approach you'd really like to take, give me a little more
detail on how that would shake out.

If you'd like to discuss this further, I would be happy to help guide
you.  We can continue this either in email, or in IRC on #ecryptfs at
irc.oftc.net.

Cheers!
:-Dustin

Follow ups

Re: [Ecryptfs-users] Writing a script for encrypting an user's home
From: Li, Yan I, 2010-01-07
Re: [Ecryptfs-users] Writing a script for encrypting an user's home
From: Li, Yan I, 2010-01-06