User data encryption requirements and work for 14.04

Registered by Jamie Strandboge

Ubuntu Desktop currently offer both encrypted disk and encrypted home as part of the install. Ubuntu Touch should also offer a user data encryption option for its users.

Blueprint information

Marc Deslauriers
Tyler Hicks
Tyler Hicks
Series goal:
Accepted for trusty
Milestone target:
milestone icon ubuntu-14.04
Started by
Jamie Strandboge

Related branches



vUDS session should focus on requirements gathering specifically for 14.04 on Ubuntu Touch with considerations for the fully converged experience. Resulting actions should consist of technologies and scenarios to investigate along with assigning identified work items.

* Full disk encryption (dm-crypt) or per-user home directory encryption (eCryptfs)?
  - We won't be able to answer this immediately, but it is something to think about while discussing requirements
  - Android uses dm-crypt
  - One vendor producing Android phones implemented a solution with eCryptfs
  - ChromeOS uses eCryptfs
  - What about other mobile platforms?
  - Any positive or negative experiences using data encryption on mobile devices?

* How will data encryption be deployed on mobile devices?
  - Install time, when adding new users, etc.

* Support migration of existing, unencrypted user data?
  - This will heavily depend on the underlying encryption technology

* Keys will most likely be protected by login passwords
  - Should we enable password quality checks to avoid '1234' pins?
  - Pattern-based logins should not be allowed

Notes in:


Work Items

Work items for ubuntu-14.02:
[tyhicks] investigate kernel keyring confinement: TODO
[tyhicks] fix LP: #359338 so the base apparmor abstraction is actually sane for apps when using ecryptfs: TODO
[tyhicks] update CI for ecryptfs on Touch: TODO

Work items for ubuntu-14.03:
[tyhicks] benchmarks on arm: INPROGRESS
[tyhicks] finalize requirements: TODO
[tyhicks] define implementation (write specification): TODO
[tyhicks] add autopkgtests for ecryptfs: TODO
[tyhicks] recommend password strength implementation when encryption is being used: TODO

Dependency tree

* Blueprints in grey have been implemented.