[Bug 1842417] Re: Consider reintroducing home encryption using fscrypt

[Redsandro]

Please give this issue some love too:
https://bugs.launchpad.net/ubuntu/+source/fscrypt/+bug/1882993

** Description changed:

  Home encryption using ecryptfs was removed in Ubuntu 18.04 for reasons.
- Full disk encryption was recommended as an alternative.
+ Full disk encryption was recommended as an alternative, and set as the
+ one-size-fits-all solution in ubiquity.
  
  Not everyone agrees that encrypting the entire disk is the best
  alternative. Some prefer a more lightweight solution. Others have
  families and like to share a laptop, perhaps even with an unprivileged
- guest account, and family members want to encrypt their home with a
- personal password.
+ password-less guest account, and family members want to encrypt their
+ home with a personal password.
  
- For some, full disk encryption is unwanted because of reasons. Linux
- Mint 19, based on Ubuntu 18.04, re-introduced home encryption using
- ecryptfs because users wanted it.
- 
- Can we re-introduce home encryption, this time using fscrypt? Not only
- was this suggested (way prematurely) by the Ubuntu 18.04 release notes,
- it's also nearing completion with final patches scheduled for Kernel
- 5.4. It would be beneficial if we could get this as an option for Ubuntu
+ Can we re-introduce (an option to choose) home encryption using fscrypt?
+ Not only was this suggested (prematurely) by the Ubuntu 18.04 release
+ notes, it's also feature-complete now with v2 kernel encryption policy
+ patches merged in kernel 5.4, which is the default kernel on Ubuntu
  20.04 LTS.
  
- Resources:
  
- Encrypted home with fscrypt
- https://askubuntu.com/a/1031509/40475
+ Setup
+ -----
  
- Kernel patches for fs keyring
- https://git.kernel.org/pub/scm/fs/fscrypt/fscrypt.git/log/
+ Steps that would need to be scripted in ubiquity are as simple as:
  
- Key managemekt fixes in fscrypt tools
- https://github.com/ebiggers/fscrypt/commits/fscrypt-key-mgmt-improvements
+ ```
+ apt install fscrypt libpam-fscrypt
+ fscrypt setup
+ fscrypt setup /
+ fscrypt setup /home ## only if home is on a separate partition
+ fscrypt encrypt /home/$USERNAME
+ ```
+ 
+ For the rest you can probably re-use the ubiquity widgets and detection
+ code from the ecryptfs days.
+ 
+ Keep in mind that the fscrypt packages on the Ubuntu repositories are
+ outdated. See:
+ https://bugs.launchpad.net/ubuntu/+source/fscrypt/+bug/1882993
+ 
+ 
+ Resources
+ ---------
+ 
+ Fscrypt ext4 native encryption documented on Kernel.org
+ https://www.kernel.org/doc/html/v5.4/filesystems/fscrypt.html
+ 
+ Build instructions
+ https://github.com/ebiggers/fscrypt#fscrypt-
+ 
+ Fscrypt on Arch Linux
+ https://wiki.archlinux.org/index.php/Fscrypt

** Summary changed:

- Consider reintroducing home encryption using fscrypt
+ Ubiquity needs support for fscrypt

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubiquity in Ubuntu.
https://bugs.launchpad.net/bugs/1842417

Title:
  Ubiquity needs support for fscrypt

Status in ubiquity package in Ubuntu:
  Confirmed

Bug description:
  Home encryption using ecryptfs was removed in Ubuntu 18.04 for
  reasons. Full disk encryption was recommended as an alternative, and
  set as the one-size-fits-all solution in ubiquity.

  Not everyone agrees that encrypting the entire disk is the best
  alternative. Some prefer a more lightweight solution. Others have
  families and like to share a laptop, perhaps even with an unprivileged
  password-less guest account, and family members want to encrypt their
  home with a personal password.

  Can we re-introduce (an option to choose) home encryption using
  fscrypt? Not only was this suggested (prematurely) by the Ubuntu 18.04
  release notes, it's also feature-complete now with v2 kernel
  encryption policy patches merged in kernel 5.4, which is the default
  kernel on Ubuntu 20.04 LTS.

  
  Setup
  -----

  Steps that would need to be scripted in ubiquity are as simple as:

  ```
  apt install fscrypt libpam-fscrypt
  fscrypt setup
  fscrypt setup /
  fscrypt setup /home ## only if home is on a separate partition
  fscrypt encrypt /home/$USERNAME
  ```

  For the rest you can probably re-use the ubiquity widgets and
  detection code from the ecryptfs days.

  Keep in mind that the fscrypt packages on the Ubuntu repositories are
  outdated. See:
  https://bugs.launchpad.net/ubuntu/+source/fscrypt/+bug/1882993

  
  Resources
  ---------

  Fscrypt ext4 native encryption documented on Kernel.org
  https://www.kernel.org/doc/html/v5.4/filesystems/fscrypt.html

  Build instructions
  https://github.com/ebiggers/fscrypt#fscrypt-

  Fscrypt on Arch Linux
  https://wiki.archlinux.org/index.php/Fscrypt

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1842417/+subscriptions