Ubiquity needs support for fscrypt

[Redsandro]

ecryptfs has been declared buggy, under-maintained, not fit for main anymore. The Ubuntu 18.04 release notes strongly recommended using fscrypt where home encryption was preferred over full disk encryption.

It was fair for Linux Mint 19 to use ecryptfs one more time, because fscrypt v2 kernel encryption policies depend on kernel 5.4 or newer.

Original issue reported here: https://github.com/linuxmint/linuxmint/issues/258

---

Linux Mint 19 proposes home encryption using eCryptfs, which hasn't been maintained for 4 years.

I've been manually replacing eCryptfs with fscrypt in Linux Mint 19 for encrypted homes. fscrypt is more memory-efficient, uses more up-to-date cryptography than eCryptfs, and it does not require setuid binaries.

fscrypt is ext4 native encryption, and now supports v2 kernel encryption policies, which depends on kernel 5.4.

It's time to replace the deprecated and unmaintained stacked old fuse-based ecryptfs with native fscrypt support, and bring encrypted homes back to modern times with Linux Mint 20.

I have previously suggested this for Ubuntu 20.04, but as we know, they have dropped home encryption and are now crusading for full disk encryption, but they did recommend fscrypt as a replacement as early as 2018.

---

:information_source: Please note that fscrypt in the Ubuntu 20.04 repositories is (currently) very old. See https://bugs.launchpad.net/ubuntu/+source/fscrypt/+bug/1882993

:information_source: See also: fscrypt on Archlinux Wiki

[smurphos]

It's a shame fscrpyt is in the universe section of the focal repos - it's a bit dodgy relying on either of them when there's no guaranteed upstream support.

[Redsandro]

@smurphos commented:

It's a shame fscrpyt is in the universe section of the focal repos - it's a bit dodgy relying on either of them when there's no guaranteed upstream support.

Currently, the universe package is old because this is no priority for Ubuntu since they went a different direction with security. Mint could package their own version newer version like Mint manages other packages. Or you could help by adding some heat ("this affects me too") here: https://bugs.launchpad.net/ubuntu/+source/fscrypt/+bug/1882993

fscrypt is actively used by Chrome OS and newer versions of Android because it's lightweight and performant. I don't think they will drop it soon.

Even if it was dropped, in it's current state it's still an order of magnitude better than ecryptfs which was dropped over 4 years ago and is more resource heavy.

But even if it was dropped, fscrypt only manages metadata and PAM integration. The encryption is native kernel code, so unlike ecryptfs, the encryption itself is already maintained in the kernel.

Pros:

:heavy_check_mark: More efficient, usually faster :heavy_check_mark: Less resource-hungry, smaller (memory) footprint :heavy_check_mark: Native encryption, maintained in kernel :heavy_check_mark: No dependency on fuse or setuid :heavy_check_mark: Up-to-date cryptography

Cons:

:x: Not compatible with older and deviant filesystems such as ext3 and zfs    :white_check_mark: zfs has their own built-in encryption :x: Not compatible with encrypted homes from previous Mint installations    :white_check_mark: ubiquity could convert this during installation

[clefebvre]

Thanks, that's interesting. It's not something we'll change during the BETA though.

Another thing on the horizon is systemd shining in and maybe providing embedded solutions for home directory encryption as well.

We'll see.

[Redsandro]

@clefebvre commented:

Thanks, that's interesting. It's not something we'll change during the BETA though.

I don't have access to the ubiquity issue tracker. Would you be willing to move this to the proper location for consideration outside of the BETA scope?

[clefebvre]

Their bug tracker is on Launchpad at https://bugs.launchpad.net/ubuntu/+source/ubiquity. You can also get in touch with them by following https://wiki.ubuntu.com/Ubiquity.

[clefebvre]

On our side this is captured in trello for the upcoming releases.