cryptic: Encryption and partitioning on Ubuntu
Jérémie Astori
@astorije
LibrePlanet Boston Desktop GNU/Linux Users Group - CryptoParty
4 February 2015
- Name, @astorije on Twitter and GitHub
- Work for W3C, where we care a lot about privacy, thanks for the event
- cryptic, Simple script to answer a complicated issue I experienced last year
- If trouble reading the slides, go to astori.fr. Slides are accessible.
Motivation
- “Full-disk encryption: Very easy to use, no latency, you won't even notice it.”
— Bruce Schneier, NSA Surveillance and What To Do About It
- Last year, talk given by Bruce Schneier, renowned cryptographer, security and privacy specialist
- Great! Let's give it a try.
- Ubuntu installer: checkbox. Checked, encrypted.
Motivation
“Full-disk encryption: Very easy to use, no latency, you won't even notice it.”
— Bruce Schneier, NSA Surveillance and What To Do About ItProblem: how to split
/and/homeinto 2 partitions?
- Last year, talk given by Bruce Schneier, renowned cryptographer, security and privacy specialist
- Great! Let's give it a try.
- Ubuntu installer: checkbox. Checked, encrypted.
- I like to keep root and home partitions separate
- No option for this in Ubuntu's installer
- Long several-page-long tutorials and command line skills required, not trivial
Motivation
“Full-disk encryption: Very easy to use, no latency, you won't even notice it.”
— Bruce Schneier, NSA Surveillance and What To Do About ItProblem: how to split
/and/homeinto 2 partitions?What about other OS?
- Debian: Already in the installer
- Other Unix-like OS: RTFM
- Mac OS: The most efficient way to lose your data
- Windows: An installer? What is that?
- Last year, talk given by Bruce Schneier, renowned cryptographer, security and privacy specialist
- Great! Let's give it a try.
- Ubuntu installer: checkbox. Checked, encrypted.
- I like to keep root and home partitions separate
- No option for this in Ubuntu's installer
- Long several-page-long tutorials and command line skills required, not trivial
- Debian: All set, can be finely tuned up
- Other Linux-like OS: Geeky enough to find a solution!
- Mac OS: Needs to boot from an encrypted partition to decrypt
- Windows: Nobody installs the system
Motivation
“Full-disk encryption: Very easy to use, no latency, you won't even notice it.”
— Bruce Schneier, NSA Surveillance and What To Do About ItProblem: how to split
/and/homeinto 2 partitions?What about other OS?
- Debian: Already in the installer
- Other Unix-like OS: RTFM
- Mac OS: The most efficient way to lose your data
- Windows: An installer? What is that?
Solution:
cryptic! *
- Last year, talk given by Bruce Schneier, renowned cryptographer, security and privacy specialist
- Great! Let's give it a try.
- Ubuntu installer: checkbox. Checked, encrypted.
- I like to keep root and home partitions separate
- No option for this in Ubuntu's installer
- Long several-page-long tutorials and command line skills required, not trivial
- Debian: All set, can be finely tuned up
- Other Linux-like OS: Geeky enough to find a solution!
- Mac OS: Needs to boot from an encrypted partition to decrypt
- Windows: Nobody installs the system
Motivation
“Full-disk encryption: Very easy to use, no latency, you won't even notice it.”
— Bruce Schneier, NSA Surveillance and What To Do About ItProblem: how to split
/and/homeinto 2 partitions?What about other OS?
- Debian: Already in the installer
- Other Unix-like OS: RTFM
- Mac OS: The most efficient way to lose your data
- Windows: An installer? What is that?
Solution:
cryptic! *
* Until it is included in the installer...
- Last year, talk given by Bruce Schneier, renowned cryptographer, security and privacy specialist
- Great! Let's give it a try.
- Ubuntu installer: checkbox. Checked, encrypted.
- I like to keep root and home partitions separate
- No option for this in Ubuntu's installer
- Long several-page-long tutorials and command line skills required, not trivial
- Debian: All set, can be finely tuned up
- Other Linux-like OS: Geeky enough to find a solution!
- Mac OS: Needs to boot from an encrypted partition to decrypt
- Windows: Nobody installs the system
cryptic, simple / ugly script that does everything.
Hopefully, this script will become useless: For encryption to generalize, must be no trade-off between privacy and convenience.
Me: 2 partitions over encryption. Most people would make this choice.
Usage
- When installing Ubuntu, check Encrypt the new Ubuntu installation for security
Usage
When installing Ubuntu, check Encrypt the new Ubuntu installation for security
Once Ubuntu is installed, before rebooting, open a terminal and type:
wget -N https://astori.fr/cryptic.sh. cryptic.sh2 lines, very easy:
- Downloads
- Runs
Usage
When installing Ubuntu, check Encrypt the new Ubuntu installation for security
Once Ubuntu is installed, before rebooting, open a terminal and type:
wget -N https://astori.fr/cryptic.sh. cryptic.shBy default:
/gets 20GiB/homegets the rest of the disk
2 lines, very easy:
- Downloads
- Runs
Usage
When installing Ubuntu, check Encrypt the new Ubuntu installation for security
Once Ubuntu is installed, before rebooting, open a terminal and type:
wget -N https://astori.fr/cryptic.sh. cryptic.sh 42GCustom size:
/gets 42GiB/homegets the rest of the disk
Custom sizing support exabytes, roughly a million terabytes, ready for the future
Live demo!
- Best way to crash a system is to show a live demo on stage
- Chose a safer version: a set of screenshots
Live demo (sort of...)
Live demo (sort of...)
Some steps are slow like this one
Live demo (sort of...)
Live demo (sort of...)
Live demo (sort of...)
Live demo (sort of...)
Live demo (sort of...)
fstab == file systems table
Live demo (sort of...)
- Only took a few minutes
- System is now protected and nicely split
Enhancements
Not supported:
- Other flavors of Ubuntu
- Multi-boot
- ...
Not tested on Ubuntu 14.10
Not so robust
Support other partitioning schemes
Report to the community
- No Lubuntu, Xubuntu, ...
- Basically only the base scenario is handled
- Works on Ubuntu 13.10 and 14.04 LTS
- Noticed it breaks on rare occasion
- Multiple partitions, fs, mount points, ...
- Actually never requested the feature to Canonical/community nor searched if already requested
Enhancements
Not supported:
- Other flavors of Ubuntu
- Multi-boot
- ...
Not tested on Ubuntu 14.10
Not so robust
Support other partitioning schemes
Report to the community
To access the documentation, contribute or report a bug:
https://github.com/astorije/cryptic
- No Lubuntu, Xubuntu, ...
- Basically only the base scenario is handled
- Works on Ubuntu 13.10 and 14.04 LTS
- Noticed it breaks on rare occasion
- Multiple partitions, fs, mount points, ...
- Actually never requested the feature to Canonical/community nor searched if already requested
- Will probably not fix the above, pretty stable as is
- More features -> More complexity, potential bugs, ...
Restore privacy in Ubuntu
Since you are running scripts anyway...
wget -q -O - https://fixubuntu.com/fixubuntu.sh | bash- Each time you start typing in the Dash to open an application or search for a file on your computer, your search terms get sent to a variety of third parties, some of which advertise to you.
- Open the terminal and run this one-liner to disable the culprits
- Pretty sure no one expected a Linux distribution would spy on them
Thanks!
- Any questions?