On 04/11/2018 03:42 PM, Eric Biggers wrote:
> [+Cc joerichey@xxxxxxxxxx]
>
> Hi Christian,
>
> On Tue, Apr 10, 2018 at 11:31:45PM -0700, Christian Kujau wrote:
>> On Wed, 28 Mar 2018, Tyler Hicks wrote:
>>> I think that's a good plan. While eCryptfs has been fairly stable for
>>> quite some time, it is starved for maintenance attention these days as
>>> you've noticed with this thread. :/
>>
>> I wonder why that is. I use ecryptfs extensively to encrypt user's home
>> directories, and it works just great and thanks to pam_ecryptfs almost
>> out-of-the-box. I always disliked the hoops one has to go through to setup
>> dm-crypt & PAM in a proper and sane way and ecryptfs works well enough.
>> What alternatives are out there? fscrypt is not quite there yet, same for
>> encrypted ext4. I wonder what other people use to encrypt a user's home
>> directory. Full disk encryption seems to be pretty popular, but is equally
>> tricky to set up properly.
>>
>> So, thanks for keeping ecryptfs alive, I guess :-)
>>
>
> Native encryption is more efficient, among other advantages. Many users, e.g.
> Android and Chrome OS, have migrated to ext4 encryption, which is the same as
> "fscrypt" ("fscrypt" refers to the API which is shared by ext4, f2fs, and ubifs
> encryption, and also to the userspace tool https://github.com/google/fscrypt).
> So I've been focusing on fscrypt, and I haven't really have time to help
> maintain eCryptfs.
>
> Note that there *is* a PAM module pam_fscrypt which will "unlock" and "lock"
> fscrypt-encrypted directories when you log in and out. It does work (after I
> fixed a couple bugs :-), modulo a systemd bug that also affects pam_ecryptfs,
> and I'm using it to encrypt my home directory on an Arch Linux machine. It's
> just not very widely used or integrated into any major distros yet, even though
> the kernel support is usually available. It is/was planned for Ubuntu but I'm
> not sure what happened to that project.
Timelines just didn't line up very well. The upstream project's first
release was a month before Ubuntu 17.10's feature freeze which didn't
leave enough time for it to get packaged and integrated into the OS
installer and user management utilities. So then we were left with the
difficult decision of whether we should integrate it into 18.04 (a 5
year LTS release) without it having seen any heavy use from users in a
previous interim Ubuntu release. It was deemed too risky.
However, it is available for use in Ubuntu 18.04:
https://launchpad.net/ubuntu/+source/fscrypt
>
> Of course, you're also welcome to step up and help maintain eCryptfs or improve
> pam_fscrypt or its documentation -- no need to wait for someone else to do it.
Very good point. Both projects have friendly folks behind them and
lending a helping hand would be great.
Tyler
>
> Thanks,
>
> Eric
> --
> To unsubscribe from this list: send the line "unsubscribe ecryptfs" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
Attachment:
signature.asc
Description: OpenPGP digital signature
