Creating a encrypted directory during the server installation

Dustin Kirkland kirkland at canonical.com
Tue Sep 23 17:43:02 UTC 2008


I feel compelled to mention one other thing...

Often, LVM encryption is *not* an option for servers where unattended
booting is absolutely required, as LVM encryption requires a
passphrase on startup.

With an encrypted ~/Private, no passphrase is required on boot, but
rather it's mounted/unmounted on login/logout.

----

That said, let me throw out another perhaps more controversial
option...  What if we didn't ask, and we just provided ~/Private
encrypted by default?  If unspecified, the mount passphrase is
randomly generated from 128 bits of /dev/urandom.  We can do that
completely entirely and reliably without adding a screen to the
installer, and provide the system administrator user a secure,
encrypted location to drop critical data by default on any Ubuntu
Server.

The one challenge, however, is that we'd need to communicate to the
user their randomly generated passphrase, which they would need if
they needed to take extreme measures at some point to recover their
data.

:-Dustin




More information about the ubuntu-server mailing list