site  contact  subhomenews

Encryption has arrived for EasyOS

June 05, 2018 — BarryK

I have posted about various aspects of security in Easy, looking from the "inside". That is, thinking of a person with malicious intent "escaping" from an app (running in EasyOS) with network access and reading personal data, hijacking your computer, or whatever.

However, you also need to be protected from the "outside". By that I mean, someone physically getting hold of your USB-drive or internal drive with EasyOS installed on it.

The solution for this latter threat, is to encrypt all sensitive data, and require a password to access. This is what I have implemented.

The method I have used is the encryption capability inherent in the ext4 filesystem. In a nutshell, at the first-boot of Easy, it creates an ext4 filesystem in the working-partition with 'encrypt' capability enabled. A password is then asked for, and if provided, the "home", "containers", "repositories" and ".session" folders are created as encrypted folders.

After bootup, the contents of those folders will appear as normal, however, if someone got hold of the drive, those folders would appear to have garbage content.

At first bootup the user has the choice of no password, so behaviour will be as before, no encryption. If a password is entered, then it will have to be remembered and entered at every bootup. There will be no possibility of changing the password later.

So, what are the upsides and downsides of this? Itemising:

  1. Having to enter a password at every bootup, a downside? -- not if you are very concerned about security.
  2. There is going to be some performance hit of course, at this stage I don't know if it will be noticeable.
  3. I discovered an awkwardness with the 'mv' utility, also when choose "move" when dragging a file in ROX-Filer. You cannot move a normal file into an encrypted folder, but you can copy it. I found that I can move a file out of an encrypted folder then back in again. I can also move from another partition into an encrypted folder (as that is really a copy-then-delete operation).
It may be that a future version of 'mv' will recognise this situation and perform a copy-then-delete. I hope so. For now, it is a small annoyance, certainly not a show-stopper.

Here is a brief overview of ext4 encryption:

https://wiki.archlinux.org/index.php/ext4#Using_file-based_encryption

Those who have been around Puppy/Easy/Quirky for awhile, may know that awhile back I used the f2fs filesystem for flash memory. I abandoned it for various reasons, one being that it seemed easier to corrupt the filesystem than ext4. Also, the developers made the 'pam' package a runtime requirement -- I don't know if there is any way around that.

The good news about f2fs is that it has adopted the same encryption mechanism as ext4. Ext4 has the 'e4crypt' utility, and f2fs has an identical utility named 'f2fscrypt'.

I compiled 'e4crypt' statically (in a musl build in OpenEmbedded) and that is now in 'initrd.q' in EasyOS.

Note, there is a utility named 'fscrypt' that is being developed as a single replacement for 'e4crypt' and 'f2fscrypt' and any other f.s. that uses this encryption mechanism. Unfortunately, 'fscrypt' has a runtime dependency on 'pam'.  Also bloated as it is written in Go.

EDIT 20180605
Ah, there is a lighter alternative to 'fscrypt', named 'fscryptctl', written in C, with virtually no deps:

https://github.com/google/fscryptctl 

Tags: easy