[+Cc joerichey@xxxxxxxxxx]
Hi Christian,
On Tue, Apr 10, 2018 at 11:31:45PM -0700, Christian Kujau wrote:
> On Wed, 28 Mar 2018, Tyler Hicks wrote:
> > I think that's a good plan. While eCryptfs has been fairly stable for
> > quite some time, it is starved for maintenance attention these days as
> > you've noticed with this thread. :/
>
> I wonder why that is. I use ecryptfs extensively to encrypt user's home
> directories, and it works just great and thanks to pam_ecryptfs almost
> out-of-the-box. I always disliked the hoops one has to go through to setup
> dm-crypt & PAM in a proper and sane way and ecryptfs works well enough.
> What alternatives are out there? fscrypt is not quite there yet, same for
> encrypted ext4. I wonder what other people use to encrypt a user's home
> directory. Full disk encryption seems to be pretty popular, but is equally
> tricky to set up properly.
>
> So, thanks for keeping ecryptfs alive, I guess :-)
>
Native encryption is more efficient, among other advantages. Many users, e.g.
Android and Chrome OS, have migrated to ext4 encryption, which is the same as
"fscrypt" ("fscrypt" refers to the API which is shared by ext4, f2fs, and ubifs
encryption, and also to the userspace tool https://github.com/google/fscrypt).
So I've been focusing on fscrypt, and I haven't really have time to help
maintain eCryptfs.
Note that there *is* a PAM module pam_fscrypt which will "unlock" and "lock"
fscrypt-encrypted directories when you log in and out. It does work (after I
fixed a couple bugs :-), modulo a systemd bug that also affects pam_ecryptfs,
and I'm using it to encrypt my home directory on an Arch Linux machine. It's
just not very widely used or integrated into any major distros yet, even though
the kernel support is usually available. It is/was planned for Ubuntu but I'm
not sure what happened to that project.
Of course, you're also welcome to step up and help maintain eCryptfs or improve
pam_fscrypt or its documentation -- no need to wait for someone else to do it.
Thanks,
Eric
--
To unsubscribe from this list: send the line "unsubscribe ecryptfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
