HOWTO: Prevent ureadahead from Caching eCryptfs Filesystem Contents
I leave this here for archival purposes, please see my next post for a working solution.
I've noticed this potential security hole for a while now. It may not be big or easy to break, but it could give a forensic analyst some tools to work with in order to break your filesystem encryption. If you've got samples of ciphertext and paintext, it makes it that much easier to find the key!
The problem: In a default install, on boot ureadahead watches file accesses from startup programs in order to pre-cache them for a speedier bootup. It has a run time of 45 seconds in the hopes that if you do not have autologin enabled it will stop running before you enter your password. Now, for quick typists or those with autologin enabled who have enabled the "Encrypted home folder" option during install (or moved over to an eCryptfs encrypted home folder) this poses a security risk. If your home directory is mounted prior to this 45 second run time, some portions of files and whole filenames are cached in a file for ureadahead. This undermines the expressed security of an eCryptfs filesystem.
The solution: The problem lies in the /etc/init/ureadahead-other.conf file.
Find the line that says:
And replace it with:
start on mounted DEVICE=[/UL]* MOUNTPOINT=/?*
start on mounted DEVICE=[/UL]* MOUNTPOINT=/?* TYPE=[!e][!c]*
Last edited by Githlar; March 7th, 2012 at 09:22 AM.
Better to remain silent and be thought a fool, than to speak and remove all doubt. - English Proverb