I like encrypted $HOME and making the use of them as easy for people as possible.
On creation of the first user, Ubuntu's installer offers a checkbox labelled something like "Encrypt the user's files". That's it: just one check-box. If set, upon login, a PAM module unlocks and mounts a loopback device over the user's $HOME location, transparently. On Debian I have achieved this for some time using dm-crypt/LUKS + the excellent support for the two (and LVM) in d-i. I then supplant that with libpam-mount. The result works, but has drawbacks: manual configuration of libpam-mount; unpredictable fscks with no visual feedback; some bugs with concurrent logins; unreliable unmount-on-logout; etc. One difference between these two schemes is that Ubuntu's scheme is orthogonal to whether /home or /home/foo is a distinct partition from /. This, IMHO, is a good thing: novice users need not enter the (sometimes confusing) world of partitioning: legacy DOS partition table limitations; or schemes like LVM. Sometimes I don't care to have $HOME separate from / myself (except to achieve encryption). I think it would be wonderful to have such ease-of-use $HOME encryption in Debian. Ubuntu's scheme uses ecryptfs. Before I begin looking into how best I might help work towards this, I was wondering if experienced people could weigh in with advice on whether ecryptfs is likely to be the most sensible way to achieve the desired result, or is something else worthy of consideration? Thanks, -- Jon Dowland -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110911132337.GA5608@pris
