Ivan Čukić

dr Ivan Čukić

Author of "Functional Programming in C++", KDE developer and Free/Libre software enthusiast

For inquiries about KDE projects (requesting features, submitting bugs, asking general questions etc.), you can use:

KDE Community Forum
Bug reporting site
#plasma IRC channel

You need to contact me directly?

KDE related:
ivan.cukic [at] kde.org

Non KDE related things:
ivan [at] this domain

IRC Network: libera.chat
Nick: ivan|home
Channel: #plasma

Projects

Blog categories

Functional Programming in C++

If you like C++, you might be interested in my book. It contains quite a few gems of modern C++ programming.

It is available for purchase at:

Patronage

Private (encrypted) activities

Published by Ivan Čukić in the KDE development: Plasma Vault section, on 19 May 2012

Some time ago I wrote about the possibility to make activities private, that is, to encrypt the files that relate to it. And, I wrote it will be available in KDE SC 4.9

In short, it will not. You’ll need to wait, or risk your data.

Status

Essentially, the encryption works. There are also some neat features like if your screensaver is started, the current activity (if marked as private) gets automatically locked. Only one activity is unlocked at a time - it is automatically locked when you switch to another activity. The files/documents you link to a private activity are automatically moved into the encrypted filesystem and removed from the original location. And so on…

So, what doesn’t work?

There’s no UI to set the activity as private (at least, not in the Plasma Desktop). And this is intentional. Security is not something that I take for granted. Anything related to privacy needs to be tested by us before we push it into the hands of ordinary users.

This means that the implementation is there, and is present in 4.9, but it is not available to you if you don’t plan to experiment and get your hands dirty.

What are the known issues?

The files on the encrypted partition are (without custom patches to kdelibs and co.) not treated any special by Nepomuk. This means that either (1) the files will be indexed as if they were public, (2) the will not be visible to nepomuk at all (which would render the /link to activity/ useless) or (3) the files will be in nepomuk without any sensitive data and without the possibility to be reindexed. This is not something that I’m satisfied with, and I’m considering it a big release blocker.

I want to try it anyway!

If you are sure that you want to use this feature now, and want to avoid the issues mentioned above, you can do the following:

# get the uuid of the current activity:
qdbus org.kde.ActivityManager /ActivityManager \
      CurrentActivity
# use that result in the following line:
qdbus org.kde.ActivityManager /ActivityManager \
      SetActivityEncrypted UUID-of-the-activity 1

You’ll be asked for the password to use for the encryption.

When this is done, the FUSE encfs system will be set up and you’ll be able to use it. But do use it directly - save files in the encrypted folder manually, delete them manually and so on. Do not /link files to a private activity/ don’t mark as private an activity that already has some files linked to it.

If you follow the above, you will not experience any nepomuk indexing related issues, while being able to keep sensitive data encrypted.

Edit:

KIO

Previously mentioned KIO slave is able to browse the private activities, so you have no need to know where the activity manager mounts the encrypted filesystem.

Comments:

hahaha
rofl. KDE is so uncoordinated and incrementally developed by its nature, that at some point somewhere, somebody's application is going to expose about your supposedly encrypted data to the outside world.
even if this works 100% full proof in plasma/kactivities/kwin/nepomuk (LOL) some day what about:
have you encrypted /tmp/kdecache-name? /var/tmp/kdecache-name? no? awww.
does gwenview not write thumbnails to ~/.thumbnails? awww
what about ~/.kde/share/{config,apps}?
has every single KDE kioslave been checked to not leak data to these or any other temporary areas? every kpart? every line of kdelibs for that matter? ever KDE code line everywhere?
and even if you snapped your fingers and made ALL of this happen today, guess what, tommorrow it won't be. why? because KDE can't even be coordinated enough to follow the HIG (human interface guidelines) as a whole for years, much less every new version.
the only way KDE encryption makes remotely any sense whatsoever is if it's a strictly adhered to project wide goal with dedicated security teams. and just what KDE needs would be time costly procedures with more manpower it doesn't have.
i'm not inherently criticizing KDE or anybody working on it for this reality, per se. it just is what it is. KDE the absolute best DE in existence as far as i'm concerned and i admire everyone working hard making it happen.
this is just initial reaction, if it comes off strong, i'm a skeptical person by nature, and my initial reaction is KDE project doesn't need to be anywhere near encryption layers; it's just a waste of time. but good luck anyone having fun working on this. and even more luck to anyone out of their mind enough to ending up using it!
:)
Ivan Čukić
The next time you try to write in a condescending tone, you'll be left without an answer. It doesn't come as 'strong', it comes as rude.
Before involving yourself into the KDE community, you ought to read the <a href="http://www.kde.org/code-of-conduct/" rel="nofollow">KDE Community Code of Conduct</a>
A security system is as strong as the person that is using it is knowledgeable.
This is not meant to provide an unbreakable system dedicated to CIA, KGB, etc. employees, it is here to provide an extra option for the common desktop user.
One of the use-cases is to provide an out-of-the-box fulfilment of the NDA contract clauses related to sensitive documents storage (aka "best to his [employee's] ability").
hahaha
Ok. Fair enough. I'm not used to the European mindset about these kinds of things. We are very forward and direct and especially cynical these days here in the US (notice Linus Toravalds has gotten worse since he got here, :)) It does come off very condescending and rude now that I read it from this different perspective (though I think it reads worse than it would have come out verbally) and so I deeply apologize for that! You're right I'm very new to KDE community and now well versed in the KDE Code of Conduct (though if we had our own Code here it would probably be more like one line and something like: Value your freedom at all costs. Ok good. Now you're ready. Go innovate! :)).
KDE is a marvelous work of art and everybody working on it and who has worked on it is brilliant as far as I'm concerned!
So I was just slightly confused by encryption layer being placed (and presumably will be maintained) inside a core desktop component, unless the plan is to implement it fully. Because to me, encyption and sensitive documents storage is also not a joke and so I think of all the times I've randomly checked my process tree and see multiple kioslaves, local and remote protocols just sitting there from many hours earlier or after an appication and checking the kuiserver to see them not being treated as idle slaves; they're just out there, not responding or just waiting for input that won't ever come. Or kded hangs or crashes, and applications with open dbus connections act just carry on as if nothing happened because it was always assumed they're supposed to work properly; connections are indefinitely broken or fail to reestablish for whatever reason, and the application slowly begins to break functionality. Or nepomukserver hangs and literally prevents applications depending on it from starting up. I just wondered since it can already take a number of seconds to switch activities once you start really using them, even on a good desktop multi core system: you know, if I were in the position of using encfs activity, is one of these stalls, hangs, crashes, ghost processses (maybe preventing encfs dismounts), broken communication channels, that is not accounted in the code going to end up leaving me check my mounts on an hour later and find oops, for whatever reason it was never dismounted like it was supposed to. Or oops, a process still has a plaintext copy dangling around who knows where on the filesystem or memory space accessible in some form by dbus. Or oops, the session management system between activity switches caused unsaved plaintext to be happily written by Random KPart in plain view under ~/.kde.
I was as careful as I could be but the entire underlying KDE subsystem wasn't written from the ground up with a security model or disaster case scenarios in mind and all these if-encrypted-data-be-prepared-for-almost-anything hooks that core components should have needed from the beginning (and few are caring to think about now because it's only meant to be a simple implementation). That's what I thought when I read this because it's more than just User Action at work here (or just as secure as the user is knowledgable). It's an entire dependence on components which, in a KDE incrementalism development model, can tend to break less than uncommonly, or at a minimum be pushed out with only incremental/reactive attention paid to real-world contengency scenarios, if for no other reason than that there simply are too many to fit into relatively short development cycles and in an environment where focus is often on User Interface primarily. (But again, brilliant people at work here; I'm sure if there was a dedicated security focus, KDE people could probably do as good a job as any other!)
I'm not one of these people who ever said KDE should be a desktop, and shouldn't do X or Y, semantic desktop, whatever. I just saw this post about what looked to me like implementing specific encryption hooks into a core desktop component and just reacted to myself for the first time "Whoa now, let's not get out of control here!"
But you've assured me this is just for some common desktop users who trust KDE as it is now to do that for them and employers who don't seem to mind, etc...and so.. I guess that's fine with me!
So you have a good day there across the pond my fine European friend! :)
Ivan Čukić
@<a href="#comment-27286" rel="nofollow">hahaha</a>: Heh, Linus is a completely another story. :)
I agree. Although Linux as an OS is considered secure, the desktops are not designed with the same mindset.
Most of the cache/lingering-process/... things are not a problem for when the system is rebooted (if the system is properly set) and pervious only to cold boot attacks.
When it comes to this, I guess the interested 3rd party (Mallice) would rather go for physical threats and broken bones than to try to actually break the system. :)
A running system is a different beast - it is vulnerable whatever you use and do.
That is another reason this isn't public yet - will need to make a really nice and long text about the added security and that it can not be counted on for full protection...

The reason encryption is in the activity manager is that the mount/unmount process needs to be able to stop activity switching if the unlocking fails (wrong password) and making a separate process and communicating everything through D-BUS or any other IPC would make the already quite complex system unbearable to maintain.
Iñaki
Mr(s) Hahaha, I find your points very valid (alas!, if Linux DE were quarter as secure -and stable- as the GNU/Linux OS...), but yes, most of (or as least a huge bunch) the KDE devs are from the germanic and slavic Europe, and it seems that the code of conduct in the KDE community is strongly influenced by that kind of sensibility more polite and respectful, but also more cold and false, so an extra dose of delicacy is needed when addressing them. I have noticed it several times in many comments: a slight ironic joke, a too direct (according to their sensibilities) criticism, etc, may provoke a «reprimand» in form of a defensive comment or just deleting what they consider «rude». It's nothing too normal either for a latin european like me, so don't blame your north american frankness; that's what there is: germans are ruling Europe decades ago, and that's noticeable in too many aspects, xD.
Cheers.
KDE SC 4.9: Erste Beta mit koordinierter Testphase | DailyInfo.info
[...] Aktivitäten zu verknüpfen. Einzelne Aktivitäten lassen sich zudem verschlüsseln. Der Entwickler Ivan Cukic schreibt dazu, dass die Funktion jedoch noch nicht ausgereift sei und so nur zu Testzwecken integriert [...]

Write a new comment...