Ivan Čukić

dr Ivan Čukić

Author of "Functional Programming in C++", KDE developer and Free/Libre software enthusiast

For inquiries about KDE projects (requesting features, submitting bugs, asking general questions etc.), you can use:

KDE Community Forum
Bug reporting site
#plasma IRC channel

You need to contact me directly?

KDE related:
ivan.cukic [at] kde.org

Non KDE related things:
ivan [at] this domain

IRC Network: libera.chat
Nick: ivan|home
Channel: #plasma

Projects

Blog categories

Functional Programming in C++

If you like C++, you might be interested in my book. It contains quite a few gems of modern C++ programming.

It is available for purchase at:

Patronage

Encryption in KDE SC

Published by Ivan Čukić in the KDE development: Plasma Vault section, on 8 January 2012

Security in activities

There is something that a few people here and there have been requesting - having some automatic (UI) way to create encrypted folders to keep their sensitive data in.

The thing I’m going to talk about today is exactly that - starting with KDE SC 4.9 you’ll be able to decide to encrypt specific activities. When you do that, you’ll get a ~/Activities/Something folder that is password protected and encrypted using fuse/encfs.

The encryption/decription process will be done automatically on activity switching.

For example, lets say you have two activities - Leisure and MI5 - with the latter being an encrypted activity. When you switch to the MI5 activity, you’ll be asked for its password and you’ll be able to access the data. When you switch back to the Leisure activity, the system for the previous one will be automatically unmounted.

Plasma Active Three

One of the reasons behind this new feature is PA3. You’ll have a portable device that can be stolen, that could be used by your children (while being single-user) for fun etc. and you don’t want some data to be visible to them.

In the case of PA, since there is no file manager and we don’t want to expose the file-system to the user, every document that you link to the activity will be automatically moved to the encrypted folder.

Drawbacks

There are a couple features that will stop working with encrypted activities - you will not be able to search encrypted documents by contents since the contents will not be indexed by nepomuk, and documents will not be able to belong to multiple activities if one of them is encrypted.

Comments:

Fri13
With all respect
I don't know exactly why but I start to dislike the whole idea of activities more and more in time when they are presented as "virtual magickal wonder" what fix everything while it all the time just looks it is very limited, makes peoples life harder and does not work well with real people and their needs.
Why not simply have a folder/image what is encrypted and decrypted when wanted with password? And when it is encrypted, people could just backup, send, shred or even move it as any other file?
Why it needs to be such that now to get a encrypted file A open, you need to change activity first and then open, copy file out of it to unsafe location (read other activity), edit it and then move it back to safe location (read back to original activity) and replace older version with it?
I want computer to do tasks for me, not other way around.
Activities seems to work well only for corporation people who have projects what takes 12-36 months or longer and they have enough time (read weeks/months) to prepare their activities and polish their work.
And some developers have this idea that virtual desktops should be like activities what people would swap and manage instead documents and people.
Most computer users does not do repeated tasks with their computers. They do not just use 1-3 applications from few directories and with few people. They need to have all data available from everywhere and all the time. When they get quick call or quick question, they should be possible open right away the file instead starting to browse activities first.
If person needs to create or open a encrypted file (directories are special files) middle of the meeting about other project, it should be possible without changing any activity ever.
Last 2 years many developers have tried many times explain to people activities. Instead that, they have created just confusion among people and frustration that they don't know anything about the "awesome" feature what has been said to exist/come.
This encryption/decryption feature needs to be added "Activity showcase" video what will show everyone step by step most possible situations how "Activities" makes life easier instead harder and does not try to replace virtual desktops.
uetsah
PS: It could be supplemented by a place in the activity settings, that show and allows to edit a list of all folders whose encryption/decryption is managed by the current Activity.
(Btw, I'm of course talking about the Desktop version here, for Plasma Active, using a single hard-coded folder should be fine.)
Ivan Čukić
@<a href="#comment-26636" rel="nofollow">Adam</a>: Agreed - every system is vulnerable, so this one will be as well. But we are hoping to avoid our errors and to make it difficult for the user to make errors which would have undesired effects.
Maybe flamebait was too strong word - it was regarding the 'plasma desktop deficiences' which are not the point of this post.
Kyriakos Brastianos
@Ivan the option of encryption on activities sounds awesome! Thats a realy great thing to see coming on PA. 2012 starts really nice for KDE SC as i see in the first week some of the most exciting things going on like the workspace strap, the evolution of dolphin with the options of alternative views like an image-view, music-view etc and ofcourse this one!
About workspace strap: http://akreuzkamp.de/2012/01/04/rethinking-virtual-desktops/ About Dolphin alternative views: http://ppenz.blogspot.com/2012/01/dolphin-20-status-update.html
Mark
Wouldn't it be possible to have a separate index for the encrypted activity which then would be only indexed and accesible while the activity is active?
Ivan Čukić
@<a href="#comment-26611" rel="nofollow">Mark</a>: Nope, all nepomuk data is in one place - not a distributed database.
And I don't want to develop a separate indexing system :)
uetsah
Integrating folder encryption with Activities sounds cool, but I *really* hate it when applications create non-hidden folders with hard-coded names in my home directory.
Wouldn't it be possible to find some other solution?
For example, don't automatically create any folder at all when an encryption-enabled activity is created, but instead add an "Encryption" tab to the dialog you get when right-clicking an arbitrary folder in Dolphin and choosing "Properties...", and in this tab allow choosing an existing encryption-enabled Activity to manage automatic encryption/decryption of this folder.
Adam
My point is simply that security is very hard to get right, even for those who are experienced in the field. This is why we see a constant stream of security bugs and updates, even for quality software like browsers and the kernel.
P.S. My comment was not intended as flamebait.
Links 9/1/2012: OLPC’s XO 3.0, Boot to Gecko (B2G) | Techrights
[...] Encryption in KDE SC [...]
smls
@Ivan Čukić
"It is a rather abstract concept that can be used however you like."
OK, fair enough.
Back on topic:
"But we are hoping to [...] make it difficult for the user to make errors which would have undesired effects."
Speaking about this, I was wondering, where do you plan to store the actual encrypted files (the "lower" directory) which will be EncFS-mounted onto ~/Activities/Something (the "upper" dir)?
The reason I ask is that, like Adam, I'm a little worried that unless the user understands exactly what's going on, it will be very easy for him to inadvertently screw things up, e.g. by...

- Accessing the "lower" files while they are mounted (dangerous).
- Accidentally modifying or overwriting the "lower" files in their encrypted state while not mounted.
- Accidentally creating new sensitive files in the "lower" dir instead of the mounted "upper" dir, with the wrong impression that they will now be encrypted.
- Accidentally deleting the .encfs5 control file in the "lower" dir, thereby forever loosing the ability to decrypt the files.
- Failing to backup the "lower" dir containing the encrypted files (in case the user doesn't know where to find it), during a backup routine that is run while the encrypted Activity is not open.
- Creating a mess with third-party incremental backup and restore tools, which see (and backup) different files based on whether the encrypted folder is currently mounted, and might restore the wrong files in the wrong situation.

This is all pretty much irrelevant on Plasma Active, where the file system is hidden from the user anyways, but on the desktop it's important to carefully think about where to put the "lower" and "upper" dir, and how to inform the user about what's going on, without being too technical.
I see three basic choices:
A) Hide the "lower" dir from the user by making it a hidden directory, e.g.:
- "lower" dir: ~/Activities/.${ACTIVITY_NAME}_private
- "upper" dir: ~/Activities/${ACTIVITY_NAME}

B) Hide the "lower" dir from the user by mounting the "upper" dir directly on top of it, e.g.:
- "lower" dir: ~/Activities/${ACTIVITY_NAME} (only accessible while not mounted)
- "upper" dir: ~/Activities/${ACTIVITY_NAME} (only accessible while mounted)
(Not sure whether this is possible with EncFS; it is with eCryptfs, though.)
C) Put the "lower" dir in plain sight in a way that will allow the user to understand what's going on, e.g.:
- "lower" dir: ~/Activities/${ACTIVITY_NAME}/encrypted_version_of_data
- "upper" dir: ~/Activities/${ACTIVITY_NAME}/data

All three have different advantages and disadvantages regarding the possible dangers I listed above. (Personally, I believe option (A) is the most dangerous if the user has no prior knowledge of how disk encryption works; Not sure which of (B) and (C) is best, though.)
Ivan Čukić » Encryption in KDE SC | Linux Blog
[...] get a ~/Activities/Something folder that is password protected and … Read the original here: Ivan Čukić » Encryption in KDE SC This entry was posted in Uncategorized and tagged encrypt-specific, kde, password-protected by [...]
Adam
This sounds like a dangerous idea to me. Security is hard to get right, as we all well know; UIs for managing security are also. The potential for confusion here is great; so is the potential for accidental leakage of private data, whether by software or by errors of a confused user. One obvious issue is using non-KDE software with this feature--seems like a nightmare to me.
I encourage KDE devs to not release such features until they are truly "done right" and are bulletproof. It's better to not offer a feature than to give users a false sense of security.
In the meantime, there are real shortcomings in KDE's basic desktop functionality that are languishing in neglect due to overburdened devs or the lack thereof. I feel a bit sad when I read about valuable developer time being invested into long-shot or theoretical or rewrite-from-scratch projects while basic stuff still needs attention. Yes, of course they're free to work on whatever they feel like--but since these folks already are invested in KDE development, it would be great if they first fixed up the platform's foundational elements, which could then grow the userbase and attract more devs.
Ivan Čukić
@<a href="#comment-26613" rel="nofollow">uetsah</a>: It might be possible to choose the folder. But I don't know whether it will be for the first release.
The dolphin idea is quite cool, but it would add a complex layer on top of this, and I'm not fond of adding complexities when the security is concerned. It needs to be thoroughly investigated first.
@<a href="#comment-26618" rel="nofollow">Fri13</a>: If you don't have a use for activities, don't use them.
Have no idea why would you copy a file from encrypted folder into unsafe location, edit it, and return it. Just edit it in the activity that it belongs to.
If you want to have a simple encrypted folder, create it manually. This provides security for activities.
@<a href="#comment-26622" rel="nofollow">Adam</a>: It is not like I woke up one morning and got an idea to implement encryption in a random fashion. Everything that is going to be done is being discussed by a few distinguished KDE developers, with previous knowledge of system security.
p.s. I'm not famous for picking up flame baits.
hoho
Is the folder only for file storage or does it store all the other activity releated files (like history, configs, wallpaper...)? And can Dolphin mount these folders with Activity password or something?
I this is yet another interesting feature for Activities that could make it more useful for many. I hope that KDE will get more security and encryption features in the future like easy way to create encrypted files and folders. All sensitive information like PIM data should be encrypted by default.
Fri13
@Ivan
"Have no idea why would you copy a file from encrypted folder into unsafe location, edit it, and return it. Just edit it in the activity that it belongs to."
Problem is, acticities does not work with normal user cases. People need to move and copy files from Acticities (I call Activities as "Projects" as it fits better and tells better way what it is) to others and do so while working same time with other projects. People do not want or shouldn't need to start, load, create or manage Activities at all.
Every file, every application, every bookmark or person should be available easily from any other place. Suggestions are always welcome and there "Last used files" or "Last opened applications" or suggesting receivers for new email is great. But forcing user to do multiple new tasks with Activities just to achieve a something other like encrypted file is too difficult. Even now the power management is forced to be done via Activities instead Power Plans.
There are files what needs to be encrypted. But what do not belong to single activity or the activity itself should not be encrpted or anything else. Forcing user to use Activities to store data safely (Yes, even that user can use thirdparty encryption tools, it is not answer for the problems of Activity).
Activities needs to be explained well and very deeply. Most use cases need to be shown why Activities would help them. Show how multitasking, quick tasking and information sharing gets easier with activities instead gives heavy micromanagement demands.
Even today, those who work with activities can not explain well what benefits users have with activities. It is very nice idea but so far no one have not shown how it really works and how it wins virtual desktops.
smls
@Fri13 "I call Activities as “Projects” as it fits better and tells better way what it is"
I disagree, Activities are *not* projects. Of course you *can* create an Activity for every project, but I doubt that makes sense unless your projects take a long time to complete and you only have a few of them.
Rather, think of a KDE Activity as an environment specifically optimized for a *type* of project/task/etc.
For example, I have a "Photography" activity, with Digikam pre-started and with desktop shortcuts and folderviews optimized for any kind of task or project related to organizing/editing/ panorama-stitching/sharing photos that I might want to do.
Similarly, I have a "Design" activity, which I use for *all* graphics design projects that I do, and again, the desktop environment within this Activity is specifically optimized for such use-cases.
If you think of Activities like this, the way that power profiles and encryption is now being connected to them makes a lot more sense.
For example, on a Laptop you might have a "Presentation" activity, which you use for *all* presentation-related tasks, like showing a Powerpoint presentation to your boss or watching a movie with friends. Naturally, you will want to optimize the desktop environment within this Activity specifically for presentation purposes, and one such optimization would be to use per-activity power management to make sure that the screen will never turn off or go into screensaver mode while this activity is active.
Ivan Čukić
@<a href="#comment-26624" rel="nofollow">hoho</a>: Only files ATM, the other parts of the activity will just be locked.
As for PIM and encryption, you'll have to talk about that with PIM people. Though, I guess the answer might be to send and receive mails encrypted with gpg or something.
@<a href="#comment-26625" rel="nofollow">Fri13</a>: As shor as I can: This is about activity encryption. If you don't use activities (and I really don't agree with anything you wrote regarding them) you can't use *this* feature.
If you need to keep only some files encrypted, use a separate tool for that.
@<a href="#comment-26626" rel="nofollow">smls</a>: Well, I can't say what activities *are* - a project, a type of project, a rare purple labrador retriever or similar. It is a rather abstract concept that can be used however you like.
For me, it is closer to a project when programming is concerned (I like keeping development stuff separate), but is in some sense a type of a project when artwork is concerned (have only one artwork activity).
In some sense, they are like folders - you can store every document in one folder (the usual for most win users - the Desktop :) ) or you can separate into a few, or into a few dozens. (I'm in the last category)
Ivan Čukić
@<a href="#comment-26639" rel="nofollow">smls</a>: The actual layout of folders is not yet finalised. Currently, there are a few crypt-* directories, and one Current directory where the current one is mounted, since there can be only one current activity.
This is a particularly interesting topic because on one hand, I want to keep this stuff pleasant to use - so not many strangely named folders visible to the user (activity folders are named after their UUIDs, not names since those can change, and syncing those would be a fun thing that would eventually flood bugs.kde.org). And on the other hand, it should somehow be explained to the user "don't touch this".
One more possibility (IMO) is to have Activities/blahblah Activities/encrypted-data/crypt-blahblah
Not sure whether to make the encrypted-data folder hidden or not.
As far as accidental actions on the 'lower' files are concerned, there is not much that can be done simply because if the user goes 'oh, lets edit this file named inoTaRuy45vSR, seems like fun' he will at some point in time do a rm -fr / as well.
So, I'm not bothered with that kind of things.
smls
@Ivan Čukić
"there can be only one current activity."
Ah, right, I didn't read the blog post carefully enough. You intend to mount/unmount the encrypted files each time on switching to/from an encrypted activity, not only while starting/stopping the activity.
So it is intended behavior that if the user opens a decrypted file with some application in an encrypted Activity, and then switches to another Activity, the application will still run in the background but the file will disappear, potentially causing trouble (for example if the application continues to write autosaves), correct?
"As far as accidental actions on the ‘lower’ files are concerned, there is not much that can be done"
Well, yes, that the user would actively edit the encrypted version of a file is unlikely, but that the user accidentally looses data during a backup (because he does not know it exists, or where to find it), or that he thinks "Hm, a folder called 'encrypted-data', that sounds like the right place to store a document if I want it to be automatically encrypted", is quite a real possibility.
Also remember that common sense will prevent most *users* from manually messing with a file called "inoTaRuy45vSR", but it won't prevent third-party *applications* from doing so.
maninalift
This all seems both cool and useful but I'm a little unclear. What I have written below comes out sounding like a criticism, it is not meant as such. I mean to enquire in all humility, since you are the expert here and the one putting in your time.
How do I access these files? Does the encrypted store mirror my home folder or is it just one big folder? I prefer to let the computer search for documents rather than do it myself but you say they can't be fully indexed, which brings me to:
If the activity is encrypted then not only should the file contents not be indexed in the "public" store but no metadata about it should be either. The only way it seems to me to deliver the functionality and the security is if the Nepomuk database could incorporate encryption/security.
Otherwise for security all nepomuk indexing should be turned off. Storing _some_ data about a file compromises both the security and the functionality.
Ivan Čukić
@<a href="#comment-26641" rel="nofollow">smls</a>: As I said, stopping things like 3rd party apps from doing nasties is impossible, at least from the encryption point of view. That should be done on system-level by some kind of sandboxing, which is not my concern at the moment.
I guess selinux could be easily set up to allow only fuse/encfs to touch the "lower" files.
As for the issue of being able to leave an application with a file open in some activity, and the problems it can produce later - I wouldn't be game for solving that simply because I think the security is more important than user-friendliness.
This is one feature where we will have to /force/ the user to read the instructions before first activation to learn how all that is functioning, what are dos and don'ts and stuff.
If the user doesn't know how to behave in a secure environment, then the environment can't be secure.
@<a href="#comment-26643" rel="nofollow">maninalift</a>: Yes, that is something that is on my mind and am trying to think of a best way to solve it. So far, since PA depends on it, we have to keep some bare data about the files - name and type, but I really don't like it.
I see two possible solutions: 1 - Remove everything from nepomuk, and change PA data models to load the files manually in encrypted activities - from the encrypted folder. 2 - Make nepomuk distributed and able to work from multiple separate databases at the same time, and keep the activity database encrypted. 3 - Use nepomuk to store encrypted names and other meta-data so that those are unreadable if the system doesn't have the key.
The second is more clean, but I'm afraid, not possible to be done in an easy way. While the first would certainly break stuff that we currently depend on.
The third option is my favourite at this moment - it could break some things, but it is the cleanest of them all.
Fri13
@Ivan
In short words, this encryption does not make sense at all.
Let me quote:
"There is something that a few people here and there have been requesting – having some automatic (UI) way to create encrypted folders to keep their sensitive data in."
People wants a folder, where to store data and it is encrypted with password and it is avalable everywhere as long you know the password.
That folder needs to be accessible from any virtual desktop, any application OR any activity. And it would be as long as it is done with wise manner with PGP (it is not about encryption algorithms or technic, but the usability how you can use that encrypted data!)
But what is now going to be done:
"he thing I’m going to talk about today is exactly that – starting with KDE SC 4.9 you’ll be able to decide to encrypt specific activities. When you do that, you’ll get a ~/Activities/Something folder that is password protected and encrypted using fuse/encfs."
That is totally different thing. As I said, and you disagree, is that people need to edit data in other activities and other projects and with other applications and on other virtual desktops.
Forcing user to edit that encrypted data on that specific activity does not work any other way than in dreams that people have hundreds of different activities what they manage. Because that encryption is tied to specific activity, they can not edit the data or share the data to other applications any smart way in manners what people want. And that is that people can move the encrypted folder to USB stick and stick it to other computer or give it to someone else.

KDE developers has this "vision" (what is very unclear for many, if not most, KDE fans) where activities are used as virtual desktops and task manager.
It just has started to look like not even KDE devs are ready to admit that activities are broken by the architecture.
For normal user who needs to have data encrypted and still available to be used, can not use activities or activities encryption. But they need to find out a third party application what does them what they want, a encrypted folder what is opened with password and after closing the folder, they can handle it as any other normal folder.
smls
@Fri13
"People wants a folder, where to store data and it is encrypted with password and it is avalable everywhere as long you know the password.
That folder needs to be accessible from any virtual desktop, any application OR any activity."
That functionality already exists, it's called KGpg, which is shipped with with KDE by default and even makes an "Actions > Archive & Encrypt Folder" menu entry appear by default in the context menu you get when right-clicking a folder in Dolphin.
What's wrong with *also* adding functionality that allows having a special encrypted folder conveniently be decrypted by switching to its Activity, and decrypted by leaving it?
There has to be *some* action that triggers the opening and closing of an encrypted container. What exactly do you imagine this action to look like, in order to comply with your demand of "avalable everywhere"?
Switching Activities is a pretty convenient action that's always available to the user. How exactly does switching Activity mean that the user "can not edit the data or share the data to other applications"? Every application can be started in every Activity, and even an application that's already running can easily be sent to another Activity or set to be shown in all Activities.
PING #02: Canonical, AfterShot Pro, Kernel, Firefox, KDE, Vim, Android, C, Red Eclipse, Ubuntu One, Mageia
[...] Encryption in KDE SC. O lo que es lo mismo, con KDE 4.9 llegará el cifrado de Actividades… Muy interesante la información que nos adelanta Ivan Čukić en su blog. [...]
oracle2b
As one of the people who requested such a feature I'd like tp express my gratitude for this features implementation. Thank you so much. I was accustomed to using an application called dexpot on windows to get the type of protected alternate desktop you described and missed it when I started using KDE full-time.
http://forum.kde.org/brainstorm.php#idea93812_page1
Ivan Čukić » Brainstorms for the activities in the desktop plasma needed
[...] Encryption in KDE SC May 10 2012 [...]
Ivan Čukić » Private (encrypted) activities
[...] time ago I wrote about the possibility to make activities private, that is, to encrypt the files that relate to it. [...]

Write a new comment...