Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Firefox User Profiles No Longer work in encrypted folders or partitions??

  1. #11
    Join Date
    Aug 2007
    Location
    Kingsport TN
    Beans
    137
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Firefox User Profiles No Longer work in encrypted folders or partitions??

    Quote Originally Posted by FuturePilot View Post
    Reading this, and if I understand correctly--so the actual key is stored in the kernel keyring and the login passphrase is hashed. The actual key itself is very strong, but wouldn't everything in the end still depend on the strength of the user login passphrase? That's what is used to access the key.

    There's something else I don't understand (from your blog)

    http://blog.dustinkirkland.com/2008/...pted-home.html

    "It handles your password changing just fine. Basically, your login passphrase and your mount passphrase are two different entities. The mount passphrase is "wrapped" or encrypted using your login passphrase. When you login to the system, your login passphrase is then used to "unwrap" or decrypt your mount passphrase, and then perform the mount. If you change your login passphrase, pam_ecryptfs simply unwraps, and then re-wraps your mount passphrase. That way, we don't have to go through the excruciating process of re-encrypting every file."

    So what's to stop an attacker from walking up to your computer, and booting in recovery mode to a root shell and changing your login passphrase?

    http://www.psychocats.net/ubuntu/resetpassword

    Maybe I'm just not getting it. "Magic" is right, I've been using encryption for over a decade now, but this process is baffling.

    StewartM

  2. #12
    Join Date
    Aug 2007
    Location
    Kingsport TN
    Beans
    137
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Firefox User Profiles No Longer work in encrypted folders or partitions??

    Quote Originally Posted by rookcifer View Post
    That's the case for EncFS, but not for the better LUKS option. LUKS will do whole disk encryption, which means that, obviously, the password used will be different from that of the user account. (LUKS will also do container encryption if you need that).
    Is there a tutorial on creating LUKS containers? That is one of the options I'm pondering, to replace my Scramdisk containers with LUKS containers.

    LUKS is a better option for Linux than Truecrypt since Truecrypt was specifically written with Windows in mind. Truecrypt still cannot do WDE on Linux, plus TC has that weird home brew license.
    The Scramdisk developer, Hans-Ulrich Juettner, has been very diligent about issuing recompiled versions of Scramdisk shortly after being notified of a kernel breakage (usually within 1-2 days). I started using Scramdisk back in 2007 because I had used it in Windows in my pre-Linux days, and it seemed the best choice for a Linux box (back then there were "brew your own" encryption tutorials for Ubuntu and no official support). It has worked well up until this point, which has earned my loyalty, and it has incorporated new features like encrypted swap and a variety of hash and encryption algorithms.

    There is also a feature in Scramdisk that I like that has been missing from all other Linux encryption tools I've tried (from Seahorse to Cryptkeeper, etc)--and that is the "display passphrase" feature. I don't know about you, but I can and will use stronger passphrases when I can see what I'm typing and not some string of *****s. When you can see what you're typing, you can and will use passphrases 20 or 30 or more characters long which are resistant to dictionary attacks. When you get a string of *****s, you tend to stick to the 6-15 character strings that are more easily entered in and remembered.

    To me, that's an important point. I suppose there's a danger of someone setting up a mini-camera in your room to see you typing in your passphrase, but the real threat nowadays comes from hardware keyloggers--these have really come down in price. The real value of encryption has thus become that of protecting one's data from either the theft of one's computer or (in a civil or criminal proceeding) the seizure of it after-the-fact as kind of an afterthought. In the latter cases, the difference between trying to crack a 30-character passphrase and an 8 character passphrase is very real. OTH, if an attacker suspects or wants something from you and has time to plan an attack, he will try to get access to your machine in your absence and install a hardware keylogger.

    Sorry for the rant, but it seems that only giving users strings of *****s to me, at least, offer no real protection and actually are a deterrence to better security practices.

    Hmm, well obviously if you trust someone enough to use your system you should trust them enough to decrypt it in order to use it. Or, if you prefer, you can create separate partitions and encrypt them with different passphrases. BTW, LUKS will allow 8 different passwords to be used for the same container. This is so that if someone should no longer need access you can delete their password without having to change your own. This is good in work environments where there might be turnover.
    Most of the users on my system use the guest account--I created one just for walk-up users, and didn't want to bother them with encryption (nor did I figure they would need it). I did have a regular user once but no more. I was also concerned about the increased difficulty I might experience during upgrades. And of course, there would be the additional work of having to do a clean installation. All these have deterred me from going that route, until now at least.

    StewartM

  3. #13
    Join Date
    Aug 2007
    Location
    Kingsport TN
    Beans
    137
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Firefox User Profiles No Longer work in encrypted folders or partitions??

    Quote Originally Posted by bodhi.zazen View Post
    If you use ecryptfs to encrypt your $HOME directory , by default, it uses you login to decrypt $HOME.

    BUT, you can not simply change a users password as root or with a live CE and access the data, that is a misunderstanding on your part. Try it in a VM or a test installation and see for yourself

    With ecryptfs a user has to change his or her password with the graphical tools or via the commmand line via an additional step. There are several page on an encrypted home on Ubuntu if you wish.

    http://bodhizazen.net/Tutorials/Ecryptfs

    You can access the encrypted $HOME from a live CD, if you have the information you need :

    http://blog.dustinkirkland.com/2009/...home-from.html
    Thank you.

    It seems to me--and I was looking over Dustin's tutorial about migrating a non-encrypted /home/user directory to an encrypted one--why couldn't I:

    a) Create a new encrypted user account with Ecryptfs--/home/newuser;

    b) "Dump" all my data in my current encrypted Scramdisk containers under /home/olduser into cleartext data onto remote external hard drive;

    c) Use my sudo account to reset the ownership and privileges on the cleartext data on that external drive to the newuser account;

    d) copy the cleartext data into the relevant places in /home/newuser and set it up for the relevant programs. Now it is encrypted.

    e) Shred the cleartext data on the external drive;

    f) Delete the /home/olduser account (this would include the Scramdisk container volumes, no shredding necessary).

    Wouldn't that work?

    Hope that helps your understanding. I do not know the answer to your original question / problem with firefox.

    I have not used truecrypt in a while but my impression is that it is less and less compatible with Ubuntu over time, and your post re kernel and video problems reinforce that impression.
    The problem with Firefox is weird--all the other programs function as normally. Looking at the Firefox help, the "profile is in use" usually indicates problems lock or parentlock or sessions.js files or whatnot--not the problem here (as new profiles won't work either).

    It is possible, that since running in low-graphics mode is breaking my webcam in all programs but cheese, that it's affecting Flash, a plugin for firefox (it won't work in flash either). I can test that hypothesis today by booting into the latest kernel, creating a Cryptkeeper EncFS folder (or some other compatible encryption) and trying to create a profile there. If it works with the latest kernel but not with the earlier one it could be that it's all my graphics card problem.

    I'm looking at the wiki--and it does mention that you *DO* have to remember the mount passphrase if you want to access your data if the login one was changed (either you, or by an attacker). That's more understandable.

    I apologize to Dustin for my earlier misunderstanding.

    StewartM
    Last edited by StewartM; August 9th, 2010 at 02:15 PM.

  4. #14
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Firefox User Profiles No Longer work in encrypted folders or partitions??

    You can move / encrypt your home directory without re-installing.

    You can not encrypt the entire system with LUKS without re-installing.

    Either way the general process of backing up and restoring your data would be the same.

    Personally I have been happy with LUKS (encrypt the entire system). I tend to encrypt only some data and not all of my home directory. cryptkeeper is a nice tool to maintain an encrypted directory.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  5. #15
    Join Date
    Aug 2007
    Location
    Kingsport TN
    Beans
    137
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Firefox User Profiles No Longer work in encrypted folders or partitions??

    Quote Originally Posted by StewartM View Post
    Reading this, and if I understand correctly--so the actual key is stored in the kernel keyring and the login passphrase is hashed. The actual key itself is very strong, but wouldn't everything in the end still depend on the strength of the user login passphrase? That's what is used to access the key.

    There's something else I don't understand (from your blog)

    http://blog.dustinkirkland.com/2008/...pted-home.html

    "It handles your password changing just fine. Basically, your login passphrase and your mount passphrase are two different entities. The mount passphrase is "wrapped" or encrypted using your login passphrase. When you login to the system, your login passphrase is then used to "unwrap" or decrypt your mount passphrase, and then perform the mount. If you change your login passphrase, pam_ecryptfs simply unwraps, and then re-wraps your mount passphrase. That way, we don't have to go through the excruciating process of re-encrypting every file."

    So what's to stop an attacker from walking up to your computer, and booting in recovery mode to a root shell and changing your login passphrase?

    http://www.psychocats.net/ubuntu/resetpassword

    Maybe I'm just not getting it. "Magic" is right, I've been using encryption for over a decade now, but this process is baffling.

    StewartM
    Dustin: I just wanted to follow up and tell you in doing more digging I had found this:

    http://blog.dustinkirkland.com/2009/...-2-factor.html

    "For obvious reasons, it's important that your login passphrase is strong. This is the passphrase that "guards" your wrapped-passphrase file, if your attacker has access to that too."

    So your login password should be strong enough to protect your wrapped passphrase file. That makes sense. Sorry to misunderstand, and thanks for all the advice.


    StewartM

  6. #16
    Join Date
    Oct 2006
    Beans
    4,624
    Distro
    Kubuntu 16.10 Yakkety Yak

    Re: Firefox User Profiles No Longer work in encrypted folders or partitions??

    I'm not Dustin
    Blog | Ubuntu User #15350 | Zsh FTW | Ubuntu Security | Nothing to hide?
    AMD Phenom II X6 1075T @ 3GHz, Nvidia GTX 650, 8GB DDR3 RAM, 2 X 1TB, 1 X 3TB HDD
    Please don't request support via PM


  7. #17
    Join Date
    Aug 2007
    Location
    Kingsport TN
    Beans
    137
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Firefox User Profiles No Longer work in encrypted folders or partitions??

    Quote Originally Posted by FuturePilot View Post
    I'm not Dustin
    Ooops.

    My bad.

    I'm thinking that since I'm also having a problem with flash:

    http://ubuntuforums.org/showthread.php?t=1549477

    That this a problem with firefox, or a problem with flash that is affecting firefox.

    Last night I downloaded and installed Truecrypt, which does work with the 2.6.32-24 generic kernel. It could open my container files just fine. But firefox could not create or access any profiles inside of them.

    When this machine was running 8.04, I had upgraded flash to the most recent version. Perhaps since it *was* the most recent version, Flash was not replaced during the upgrade and is not working properly? And perhaps that is causing other problems with firefox giving strange behaviors when creating user profiles?

    I could try removing firefox and flash and then re-install them. But I am thinking the best path forward now for both issues is to wipe the drive and take a step backwards to 9.10. In 9.10 (on my laptop) everything works. It might be that if I did a clean install of 10.04 instead of the upgrade (from 8.04) that this might fix these things too (but Scramdisk would still not work, not without degrading my video performance). With an everything-working system, I could also create a ecryptfs user account and start playing with that functionality and migrating things over to that to make the future upgrade to 10.04 less problematic.

    Doing a fresh install of 9.10 would also allow me to do one other thing, which is to partition my disk to have a separate /home directory, to simplify any potential problems with upgrades going bad.

    But what I would love to know is whether or not someone can take a non-encrypted user account in 10.04, create a Truecrypt partition with it, and then have Firefox create a user profile within that. That would tell me whether the problem is specific to my machine or is something generic to Ubuntu 10.04 and Firefox 3.6.8. Not having found anything in google, I suspect it's the former.

    StewartM
    Last edited by StewartM; August 10th, 2010 at 03:18 PM.

  8. #18
    Join Date
    Aug 2007
    Location
    Kingsport TN
    Beans
    137
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Firefox User Profiles No Longer work in encrypted folders or partitions??

    Well, well, well. It seems that completely removing the adobe flash plugin and removing firefox (using the --purge command) did solve the problem of not being able to direct firefox to use profiles in encrypted disk space. So I'll mark this thread solved.

    I have another question about encryptfs, but I'll pose that in another thread. Thanks for the replies.

    StewartM

  9. #19
    Join Date
    Aug 2007
    Location
    Kingsport TN
    Beans
    137
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Firefox User Profiles No Longer work in encrypted folders or partitions??

    I'd just like to update this post with something I found after I posted. This post is thus to make this thread complete, so no one gets misled.

    With the 2.6.32-22 generic kernel, with the version 173 NVIDA driver, everything works (except there is a problem with black screen hangups when switching between users, perhaps the reason that NVIDA released a new driver on 8/02). Firefox can access user profiles as before.

    However, with the 2.6.32-24 generic kernel, using the newest version NVIDA driver, firefox will NOT access user profiles inside encrypted space (other than the kind officially supported by Ubuntu)--just like the problem I had before. So it's a "feature" of the 2.6.32-24 kernel. Re-installing firefox, however, did fix my problem with flash on this kernel.

    Where do I file a bug report on this?

    StewartM

  10. #20
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Firefox User Profiles No Longer work in encrypted folders or partitions??

    To file a bug you need to create an account at bugs.launchpad.net/, do a search to make sure your bug hasn't been reported already. If your bug hasn't, press Alt-F2 and type:

    Code:
    ubuntu-bug <packagename>
    where <packagename> is the name of the package you are reporting a bug.

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •