User data encryption requirements and work for 14.04
Ubuntu Desktop currently offer both encrypted disk and encrypted home as part of the install. Ubuntu Touch should also offer a user data encryption option for its users.
Blueprint information
- Status:
- Started
- Approver:
- Marc Deslauriers
- Priority:
- High
- Drafter:
- Tyler Hicks
- Direction:
- Approved
- Assignee:
- Tyler Hicks
- Definition:
- Approved
- Series goal:
- Accepted for trusty
- Implementation:
- Started
- Milestone target:
- ubuntu-14.04
- Started by
- Jamie Strandboge
- Completed by
Whiteboard
vUDS session should focus on requirements gathering specifically for 14.04 on Ubuntu Touch with considerations for the fully converged experience. Resulting actions should consist of technologies and scenarios to investigate along with assigning identified work items.
* Full disk encryption (dm-crypt) or per-user home directory encryption (eCryptfs)?
- We won't be able to answer this immediately, but it is something to think about while discussing requirements
- Android uses dm-crypt
- One vendor producing Android phones implemented a solution with eCryptfs
- ChromeOS uses eCryptfs
- What about other mobile platforms?
- Any positive or negative experiences using data encryption on mobile devices?
* How will data encryption be deployed on mobile devices?
- Install time, when adding new users, etc.
* Support migration of existing, unencrypted user data?
- This will heavily depend on the underlying encryption technology
* Keys will most likely be protected by login passwords
- Should we enable password quality checks to avoid '1234' pins?
- Pattern-based logins should not be allowed
Notes in: http://
Work Items
Work items for ubuntu-14.02:
[tyhicks] investigate kernel keyring confinement: TODO
[tyhicks] fix LP: #359338 so the base apparmor abstraction is actually sane for apps when using ecryptfs: TODO
[tyhicks] update CI for ecryptfs on Touch: TODO
Work items for ubuntu-14.03:
[tyhicks] benchmarks on arm: INPROGRESS
[tyhicks] finalize requirements: TODO
[tyhicks] define implementation (write specification): TODO
[tyhicks] add autopkgtests for ecryptfs: TODO
[tyhicks] recommend password strength implementation when encryption is being used: TODO
Dependency tree
* Blueprints in grey have been implemented.