Modular encryption support




This is a follow-up to the previous thread on gnome-os-list, I'm also
posting this one to nautilus-list.

There is currently a fundraiser for improved security in GNOME
(http://www.gnome.org/friends/). One thing I'd like to see, is good
encryption support. For the moment, I'm going to focus on one specific
feature, modular encryption.

The problem with full disk/home encryption, is that it can't be used by
people who auto-login. It shouldn't be necessary to login everytime you
use the computer, or to allow a friend to quickly look something up on
the internet. But, at the same time, you shouldn't have to sacrifice
security.

My solution to one part of the puzzle, is to allow encrypting individual
folders. Previously, there was no easy, GNOME-like way to do this.

I've updated my previous Nautilus extension, so this is no longer the
case. Encrypting folders is a simple matter of right-clicking a folder
and selecting encrypt. Mounting the folder is as simple as opening the
folder.

This works with auto-login users, as the encryption password is stored
in the keyring, so if it is still locked, it will try to unlock before
it can mount the folder. If the keyring is already unlocked, it is
exactly the same as opening a normal folder (albeit, with a slight lag).

If you've managed to read this far, then I'd like some feedback on
whether you think this is a good feature, that is worth working on
further integration. And, as an extension of that, if this might make a
good GSoC project, that I could work on.

Here is a list of things that need to be considered:
        To meet the rest of this criteria, this probably needs to be
        integrated into Nautilus properly, rather than as an extension.

        If this is integrated into Nautilus, I'm guessing encfs should
        be an optional package, in which case we need to make sure the
        encryption option is not visible when encfs is not installed.
        
        The encryption password should be linked to the encfs key,
        rather than the folder location (to provide flexibility with
        moving folders).
        
        Using libsecret can remove the dependency on gnome-encfs, and
        will probably be needed for the previous point.
        
        If moving/renaming a folder in Nautilus, the encrypted
        counterpart should also be moved/renamed. Otherwise, the user
        will no longer be able to mount it.
        
        An option to revert an encryption should be added, so it is
        reversible.
        
        Possibly, some kind of emblem could be added to the folder to
        indicate it is encrypted. Something like a padlock, but would
        need to be visually distinct from the read-only one.
        
        The folder, before mounting, is empty. It might be an idea to
        hack the display of size to be the size of the encrypted folder.
        Otherwise, all non-mounted folders display "0 items".
        
        The implementation needs to copy items back to the original
        folder and present an error message if the encryption process
        fails. At the moment, the files would be dumped somewhere
        in /tmp.
        
Hopefully, that about covers everything. If there's anything else that
needs to be considered, please mention it.

Link to current extension implementation:
http://blog.sambull.org/easily-encrypt-folders-2

Thank you for your time,
Sam Bull

Attachment: signature.asc
Description: This is a digitally signed message part



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]