Kris S. Amundson's blog

At OpenSourcery we have a policy that all user workstations, be it laptops or desktops, must be fully encrypted.

With everything on disk under encryption, users are free to auto-login their desktop session, which allows us to continue to use one passphrase per bootup.

With this encryption in place, users are free to save passwords in browsers, login credentials for email clients, and cache svn authentication; all this information is stored in the users home directory and part of the encrypted filesystem.

One major benefit of this system is I don't have to be pushy talking to users about what data is located where, and how confidential information is used locally on a device. Users don't need to know what is cached in /tmp, that ssh passphrases can be exist in swap, or that they decrypted a gpg file locally and forgot to clean it up for a few weeks. This is on top of the obvious benefit that stolen equipment contains no useful data.

Recent versions of Ubuntu have provided an easy installation method for using LUKS (Linux Unified Key Setup). The catch is you need to download and use the Alt install CD. Select "Use LVM and encryption", provide your passphrase twice, and everything on disk will be encrypted (minus a small /boot partition where no sensitive data is stored and is used to get the kernel going to support LUKS).

A couple months ago I manually formatted an external USB drive with LUKS. This was to make a backup of my entire laptop prior to going on vacation (yes.. I really need to ditch the laptop during vacations). After the rsync I put the drive under my desk and forgot about it.

All our important data is stored in svn repositories, so it's rare that I need to make a full backup of my laptop. Kicking the drive a couple times by accident reminded me I was due for another full backup.

Upon connecting the USB cable I was presented with a Gnome window detecting the LUKS configuration and asking for my passphrase. This was unexpected, and though I'm quite capable of hacking crypttab and using cryptsetup, plug-n-play disk encryption is quick and easy (this was under Ubuntu 8.04).

Ubuntu 8.10 brings a new encryption feature during the Alt install (which I use 99% of the time over the standard desktop installer). Encfs is a new option during install that asks if you want your home directory to be encrypted. Instead of LUKS block level encryption, EncFS is an abstraction layer for per-file based encryption with views to hide the encrypted files. I will need to do some research on this method before I recommend its use, but it's good to see Ubuntu trying to incorporate security with user-friendliness.

With data becoming more important, and computing devices becoming smaller, no device should be running in unsecured environments without storage encryption.

Official LUKS Website
Useful Ubuntu/Debian HOWTO

Since 2006 OpenSourcery has enjoyed working a wonderful client: the Moloka'i Community Service Council, MCSC. I met Karen Holt, the executive director, in 2005 through PSU as we were working with EZ Wireless to help them design and implement a city-wide wireless network in Kaunakakai, Hawaii (island of Moloka'i).

In addition to helping them with their wifi networking, we also went in and overhauled their IT systems in 2006. Improvements included new Cisco switches replacing hubs, cleaning up DNS off their internal "local.com" Windows domain to djbdns, and a migration off Microsoft Exchange to Zimbra. Their local IT staff were also interested in learning Linux and the number of Ubuntu hosts has only gone up with plans to migrate off the Windows 2003 server for file and print sharing.

Back on the email front, Zimbra provides tools to migrate Outlook PST files on local storage, and connect directly to an Exchange server to scoop up mail and address books. Given Karen's 10GB mailbox, Outlook had to go and the migration tools worked as advertised.

Two years later Zimbra has gone through multiple upgrades and added many useful features. It has even survived an acquisition by Yahoo. This week completes a final migration to a dedicated server off VMware (due to increased usage), and an upgrade from 4.5.7 to 5.0.8.

MCSC helps the local community through programs including: an elementary and high school education program, educational scholarships, a mental illness center, a commercial kitchen, brownfield cleanup, at-risk family assistance, and the latest project: the Moloka'i Ranch Purchase.

The island of Moloka'i has the highest percentage of foreign land ownership in Hawaii. This ownership has put profits ahead of environmental and cultural sustainability.

MCSC is leading a new global campaign to purchase the ranch to begin restoration and preservation of Hawaii's last native lands.

More information can be found on their website: