Three layers of encryption

Private sphere

The concept of a private sphere has been around for a while, at least since Heidegger, according to Wikipedia.

The private sphere is the complement or opposite to the public sphere. The private sphere is a certain sector of societal life in which an individual enjoys a degree of authority, unhampered by interventions from governmental or other institutions. Examples of the private sphere are family and home. Martin Heidegger argues that it is only in the private sphere that one can be one's authentic self.

In public-sphere theory, on the bourgeois model, the private sphere is that domain of one's life in which one works for himself. In that domain, people work, exchange goods, and maintain their families; it is therefore, in that sense, separate from the rest of society.

It seems like todays politicians are hellbent on removing any chance for citizens to have a private sphere on the net. This has bothered me quite a lot, and some time ago it struck me that I, as a software developer, better start creating stuff instead of just whining. It seems like such a system can be built today out of standard components, and in this blog entry I will describe what I've done so far. I will build my system step by step. Let me know where I have done wrong, and where things can be simpler.

Private or Pirate?

It doesn't matter how much we talk about privacy - our detractors will call it a system for piracy anyway. So, I registered the domain piratesphere.net so that I can define "pirate" to my liking, instead of being labeled by others. I haven't done anything with that domain just yet, but will one day. Any suggestions?

Hardware

I bought myself an Acer Aspire Revo 3610 computer. It has the new Intel Atom 330 processor (dual core) running at 1.6 GHz, 4 GB RAM and 500 GB disk. Most people use it to stream HD video to their TVs. I don't.

Ubuntu

I wanted it to have encryption from the start, so I downloaded the alternate Ubuntu 9.10 CD ISO image. Then I used the Ubuntu USB Startup Disk Creator program to burn it to a USB stick, since the Acer box has no CD or DVD drive, so instead I had to boot from USB. I stuck that USB drive into the Acer box, and hit F12 during the boot sequence, which let me boot from it, instead of from the HD.

It is probably possible to encrypt only some partitions of a disk, but I'm just not smart enough to do it. I selected encrypted LVM for the entire disk, which had the benefit of swiping the hated Windows 7 OS off my computer. This results in the installer asking you to type in a password for unlocking the encrypted disk. I picked a pretty complex password, and will never write it down anywhere. My head only.

Later in the installation process, I was asked if I also wanted to encrypt the home directory. Well, of course, as Sean Connery would have said. Ubuntu automatically unlocks the home directory when you log in.

This effectively puts two layers of encryption on the disk. First the disk itself is encrypted. If someone steals your computer, or if it is seized by the police, it will be as interesting to them as a stone. As long as you have a screen saver on, which can only be unlocked with a password, of course. Don't forget this step: System --> Preferences --> Screensaver. Check the "Lock screen when screensaver is active" checkbox! Oh, and pick a good password for your user, and it should be different from the password used to unlock the hard drive.

The second encryption level will make your files unaccessible, even if someone somehow manage to crack the hard disk encyption.

Snags

During the creation of the encrypted home directory, the installer hangs. According to some people on the net, this is because the installer is writing zeroes to the swap partition, which takes a long time. It appears this is only part of the reason, since the real problem appears to be that this copying of zeroes never ends. The solution is to kill that part of the installation.

Another problem is that both Firefox and the system itself may suffer from very slow net connections under ipv6. The solution to that problem was also simple. I chose solution number 3.

Wuala

Next step is to install Wuala. What it does is to let you store your files encrypted in the cloud - only you can get to these files! You need to install Java, portmap and nfs-common for this, so on this machine I did:

sudo apt-get install sun-java6-jre portmap nfs-common

Next step is to download Wuala, which is just a tar.gz file you unzip in your home directory. Then set the execute flag on the wuala and wualacmd scripts:

chmod 744 wuala wualacmd

Next, start that script right away:

cd ~/wuala
./wuala

It will now go on for a long time spitting out "%1", "%2"... for quite a few minutes. Don't despair! What it does is to also download updates. After a little while, finally, Wuala comes alive.

You will first be asked to login with an existing account or create a new one. Don't use your own name in the user name, since that name can then be used to identify you when sharing files over the Wuala network. And you can't change your user name once your account is created.

Then a window appears, which is the main Wuala client where you can drag-and-drop the files you wish to save to the cloud. Initially you only have 1 GB of storage, but the second cool feature of Wuala is that you can trade with Wuala: Give away local storage on your hard drive, and get cloud storage back! So I opened the Wuala profile settings with User --> Edit My Profile... and shared 100 GB disk.

I'm sharing as much as I can, which means files from other Wuala users are saved encrypted to my disk, and as a reward I will get almost as much disk on the cloud where I can save my files. The amount of disk I get to use depends on how much of the day my computer is online. If it is online only 50% of the time, then only 50% of your traded local storage is given back as cloud storage. Read more about it on Wuala's website.

While you are poking around with Wuala settings, make sure you check the "Restart automatically after update" checkbox. Also, remember to NOT let Wuala remember your password.

Three layers of encryption

So, since all my files saved to the Wuala cloud are encrypted, with a key that never leaves my computer, I have three levels of encryption on my computer:

1. Hard disk encryption
2. Home directory encryption
3. Wuala encryption

For all of these, I use unique passwords (yes, you get to type passwords a lot). This means that even if someone cracks the password to the disk, and even if that same person cracks the password to my user, that person doesn't get to see any of my files, because they're encrypted on the cloud!

Next steps

Next step, which I haven't fixed yet, is to install and setup OneSwarm. But for it to be useful, I need to make sure my Wuala directories are seamlessly mounted as normal directories, and I haven't fixed that just yet.

I'll let you know when that works.

Over and out.