Five years ago (I’m completely shocked how the time flies), we were working on Plasma Active, and one of the ideas was to allow the user to create private activities in which all the data would be encrypted.
Now, while the idea itself was solid, there were big problems with its realization. There was no way to force applications to separate the configuration and other data based on whether the user is in the encrypted activity or not. Especially since the same application can run in multiple activities.
For those reasons, the idea was abandoned. I didn’t like the fact that I spent a lot of time on it just for it to be thrown away, so encryption always stayed in my mind.
Enter Plasma Vaults
If the idea to have activities encrypted can not work because of the things not controllable by us, then we need to do something more obvious and transparent, so that the user can know exactly which data is secure, and which not.
Instead of having something as abstract as an activity encrypted, Plasma Vaults will allow you to create encrypted directories.
Sometimes we want to keep specific documents private. Sometimes we are actually forced to do so (I’ve seen enough work contracts that force you to keep the job-related data as secure as you know how to). And sometimes we have to share our computer with others while keeping our data completely private.
Plasma Vaults allow you to easily create and manage EncFS encrypted directories (other encryption systems might be supported in the future).
The vault creation dialogue will need more work. While most of the text in it is important, we’ll need to think of something to make it less daunting to look at.
One of the things that did not survive from the original concept is that the encrypted drive is tightly bound to an activity.
But still, that does not mean there can not be a connection between them. The vaults are usually related to the projects that we work on, and one of the main use-cases of activities is the project handling.
So, for each vault, you can choose which activities it should be available on. It will not be automatically unlocked when you enter said activities, but it will be automatically closed when you exit them.
This might be a bit annoying if you often switch between activities, but I’d always put security above convenience.
Currently, the UI is not as polished as it should be. Some of the problems are in the Plasma Vault code itself, but some are in the KF5 widgets.
This is not the only way to keep your data private. Lately, most Linux installers allow you to create an encrypted home partition, or to encrypt the whole system including the swap.
But these cover a different use-case. They cover the case when your device gets lost while turned off.
They do not cover the possibility that someone might access your system while it is running. Plasma Vaults fill this void by making the attack surface smaller – instead of having all data unlocked at once, you can do it piece by piece – it is more granular.
This does not mean that using only Plasma Vaults will make your data more secure than encrypting the whole system, it just covers a different set of possible attacks. It is probably worth it to combine both if you are doing really secret work.