Functional Programming in C++

Plasma Vault is evolving

Published by Ivan Čukić in the KDE development: Plasma Vault section, on 10 February 2017

While the rest of the Plasma team is sprinting in Germany, I’m unfortunately tied down to my chair at home and trying to sprint as well.

Backends

The main work I’ve been doing since I announced Plasma Vaults was to refactor the hell out of the Vaults infrastructure to allow me to support more encryption engines.

I’ll blog about some of the more fun parts of this refactor later.

The main reason why I am mentioning this now is that we now have two different choices for Vault encryption.

The first is (as previously mentioned) EncFS, and the newly added one is the young but promissing CryFS.

CryFS is a more modern system that tries not to repeat the same errors that EncFS (and eCryptFs) have. It does not expose the number of files, directory organization, nor sizes of the files stored in the system, while not having any significant known drawbacks.

One thing that I’d like to say here is that the important word in the above sentence is known.

It is true that EncFS has known security issues thanks to the independent security audit by Taylor Hornby, so you know that it is not safe in certain use-cases.

But its huge advantage is that you know what its problems are. For the newer systems like CryFS, there is no known independent security audits (if you find one, please notify me).

This means that, at this point, the choice is between a known system with known faults that you will most likely be safe with if you use it correctly, and a new system that does not have those faults, but its faults are unknown.

I’m investigating a few systems more (including eCryptFs), but I’ll write about them when they get supported by Plasma Vaults.

A bit on the UI

I’ve also been polishing the UI a bit.

Instead of having a huge dialogue, the vault creation is now in a nice-looking wizard. I’m not a fan of wizards, but in this case it is a much better choice.

Apart from not looking as cluttered as the previous one, it also allows different backends to have different options (like choosing the cypher in CryFS).

Fun with icons

Alex has made a few nice icons for this, and now I’m experimenting how can I use them to improve the user experience.

One of the things I’m trying out is to set the default icon for the vault folder, so that, when you open the Vault, its folder’s icon changes to notify you that that its contents is encrypted.

jess
thanks for your work on enabling encrypted data storage in a user friendly way - for privacy this should really be included in the default desktop environment these days!

now that you made the encryption engine pluggable, what do you think about the 'old fashioned' encrypted container approach using block devices and plain cryptsetup/luks? compared to encFS this has some drawbacks (mainly having to allocate the size of the container in advance) but it is much more accessable to users when it comes to backup/copying encrypted vaults - I set up linux notebooks for people coming from windows quite often (mostly with KDE ;) and encrypted containers with a simple gui like this one https://github.com/jas-per/luckyLUKS have been a great replacement for those accustomed to TrueCrypt on windows

thanks, jess
Ivan Čukić
I was investigating the Tomb project for the 'old fashioned' encrypted container support. The main issue is that these require sudo privileges. If you don't set the NOPASSWD in the /etc/sudoers, the system would need to ask for the password when closing the vault which is (as far as I'm concerned) a security problem. I want vaults to be automatically closed on a number of occasions -- screen locking, activity switching, etc.

I do think this is a mandatory feature, so I'll need to devise a way to manage it. I don't know whether I'll find the solution for the first release.
Mikhail Rudenko
Hi Ivan!
First of all, thank you for your great work! I've always been too lazy to play those cryptsetup games, and now thanks to plasma-vaults file encryption became inevitable part of my everyday workflow. I'd like to point out a minor issue with p-v: its icon is almost indistinguishable from that of kgpg, at least in breeze-dark icon theme (https://ibb.co/bU0EZ5 ; solid lock is p-v, transparent one is kgpg). I believe VDG should come up with a better icon, and it'll hardly take them more than 10 minutes to complete this task.

From Russia with love,
Mikhail
Ivan Čukić
I agree about the icon. Will see whether we can get a saner one :)
Gokul
No words to thank you enough for the great thing you got us. A quick question, is there a size limit to the amount of data you can put in these encrypted directories/vaults? Just for testing I put about 10+ gb of data in one of my encrypted vaults and now it just does not mount. Is this a bug or something I am doing wrong?
Ivan Čukić
@Gokul

There shouldn't be a limit as long as cryfs/encfs do not impose a limit. Only if you don't have enough space on your $HOME
KDE Plasma 5.11 Beta mit VerschlÃ¼sselung | linuxnews.de linuxnews.de
[...] Plasma-Vault zieht als neue Anwendung zur VerschlÃ¼sselung von Daten in Plasma 5.11 ein.[...]