个人工具
登录
查看“UbuntuHelp:EncryptedHome”的源代码 - Ubuntu中文
UbuntuHelp
讨论
查看源代码
历史
搜索
导航
首页
最近更改
随机页面
页面分类
帮助
编辑
编辑指南
沙盒
新闻动态
字词处理
工具
链入页面
相关更改
特殊页面
页面信息
查看“UbuntuHelp:EncryptedHome”的源代码
来自Ubuntu中文
←
UbuntuHelp:EncryptedHome
跳转至:
导航
,
搜索
因为以下原因,你没有权限编辑本页:
您所请求的操作仅限于该用户组的用户使用:
用户
您可以查看与复制此页面的源代码。
{{From|https://help.ubuntu.com/community/EncryptedHome}} {{Languages|UbuntuHelp:EncryptedHome}} == Home Directory Encryption == === Encrypted Private === Ubuntu 8.10 (Intrepid) introduce an interesting new feature to Ubuntu -- the ability to encrypt a "Private" folder within one's home directory. This provided cryptographic protection of your most sensitive data, such as your documents and keys. This folder is automatically mounted on login, and unmounted on logout. When the folder is unmounted, an attacker only has access to your encrypted data (AES256). The encrypted data is in <code><nowiki>$HOME/.Private</nowiki></code>, and when mounted, the decrypted data is in <code><nowiki>$HOME/Private</nowiki></code>. Some important configuration information is stored in <code><nowiki>$HOME/.ecryptfs</nowiki></code>. If installing from the Ubuntu 8.10 Alternate or Server CD, there is a question in the installation for configuring the Encrypted Private directory. If you want to setup your Encrypted Private directory later, just run <code><nowiki>ecryptfs-setup-private</nowiki></code>. Ubuntu 9.04 and Ubuntu 9.10 continues to support Encrypted Private directories, which is perhaps useful for users who choose to auto-login their Ubuntu systems. As such, the user can store their most sensitive data in <code><nowiki>$HOME/Private</nowiki></code>, and protect that with a password, while using the rest of the system without a password. === Encrypted Home === Ubuntu 9.04 extended the Encrypted Private directory technology to actually cover the entire home directory. Ubuntu 9.04 users should add the boot option "user-setup/encrypt-home=true" to the kernel boot parameters when installing from the Desktop CD. If installing from the Alternate or Server CD, the option will always appear. The user will be asked if they want to encrypt their home directory. Ubuntu 9.10 exposed this option to all users installing from the Desktop CD. On the User Setup screen, after choosing a username and a password, the user can choose one of: * log in automatically * require a password to log in * require a password to log in and decrypt your home directory Users wanting an Encrypted Home directory should choose the 3rd option. If the administrator wants to add a new user with an encrypted home directory after the initial installation, use: <code><nowiki>sudo adduser --encrypt-home</nowiki></code>. If the user wants to migrate from a non-encrypted home directory to an Encrypted Home directory, follow the instructions here: * http://blog.dustinkirkland.com/2009/06/migrating-to-encrypted-home-directory.html In the Ubuntu 9.04 setup, the user's encrypted data is located in <code><nowiki>$HOME/.Private</nowiki></code>, but is only available when <code><nowiki>$HOME</nowiki></code> is '''not''' mounted. The user's configuration data is in <code><nowiki>/var/lib/ecryptfs/$USER</nowiki></code>. * '''Note that this has been problematic for some users who remember to back up their <code><nowiki>/home</nowiki></code> partition, but neglect to back up their <code><nowiki>/var/lib/ecryptfs</nowiki></code> partition. This has been fixed in Ubuntu 9.10.''' In the Ubuntu 9.10 setup, the user's encrypted data is located in <code><nowiki>/home/.ecryptfs/$USER/.Private</nowiki></code>, and the user's configuration data is located in <code><nowiki>/home/.ecryptfs/$USER/.ecryptfs</nowiki></code>. As such, all of the user's pertinent data is self-contained in <code><nowiki>/home</nowiki></code>. === Caveats === There are a few minor caveats that one must keep in mind about these encrypted configurations. When you are not logged into your system, data in your home directory is not accessible in plain text. This, of course, is by design. This is what keeps an attacker from gaining access to your files. However, this means that: * Your cronjobs may not have access to your Home Directory * SSH public key authentication into your system also will not work, unless you put your public key somewhere outside of your home directory and symbolically link it to your unmounted <code><nowiki>$HOME/.ssh/authorized_keys</nowiki></code>. Also, it is '''strongly recommended''' that you encrypt your swap space. Users installing from Ubuntu 9.10 and selecting the Encrypted Home option will automatically have encrypted swap space. Other users can run <code><nowiki>sudo ecryptfs-setup-swap</nowiki></code>. This is critically important, because your home directory data will appear as cleartext in memory, as the kernel reads your encrypted data. If the kernel swaps this data to disk, it could potentially leak your decrypted data back to disk, totally defeating your Encrypted Home. Encrypted Swap solves this problem. However: * Hibernation will not work. Actually, hibernation will work just fine. But you can't resume. There are ways around this, but it involves choosing a password to use for your swap encryption, and entering that password every time you boot your system, and sharing that password with anyone else that might want to resume the system. * This is a known, wishlist issue that we hope to solve for Ubuntu 10.04. * You may be able to avoid these problems by running without a swapfile. * Beware of information from an encrypted directory [http://www.schneier.com/blog/archives/2008/07/truecrypts_deni.html leaking out] (the linked article is Windows-centric but the same principle apply to Linux). [[category:UbuntuHelp]]
该页面使用的模板:
模板:From
(
查看源代码
)
模板:Languages
(
查看源代码
)(受保护)
模板:Languages/Lang
(
查看源代码
)(受保护)
返回至
UbuntuHelp:EncryptedHome
。