So I thought I’d resurrect my old Thinkpad and slap the latest and greatest Ubuntu distribution on it to see how it’s doing.
System: IBM Thinkpad T23
CPU: PIII/1GHz (speedsteps to 730MHz most of the time to conserve energy)
First attempt: Install using “desktop” installation CD. Stopped it because it doesn’t allow me to encrypt my filesystem during installation. Really, that should be the default nowadays, as the performance penalty on modern systems is negligible and it will make laptop theft a much less lucrative business.
Anyway, I had to get the not-so-aptly-named “alternate” installer – downloaded that one via BitTorrent and was impressed with the speed. What a fantastic protocol!
Used the menu-driven installer to create an encrypted filesystem on my 80GB ATA drive, which was very easy, but took ages. Surely, it shouldn’t need to write to the entire disk to begin with… just make sure whatever is written from then on, is encrypted on the fly. Not sure how cryptfs works, need to look into that (but surely smarter people than me are involved in this and they *must* have done it the TrueCrypt way – encrypt only existing data, offer option to securely wipe free space).
At the end of the installation was offered the chance to encrypt my home directory, which I took just for the heck of it. Very good one on Ubuntu, to offer encryption this way. Of course, I’d still rather encrypt the entire filesystem with a local-only password that is not exposed over any network services etc.
So after seeing how the encryption of my home directory works, I removed it, thinking it was slight overkill to encrypt my home directory on top of an encrypted filesystem. My hardware can barely cope with modern software, let alone two layers of encryption… Notice: uninstalling home directory encryption showed no noticeable speed increase. The machine is still slow, but usable.
Then comes some user account confusion. I want to have access to the root account, so I use Ubuntu’s way of getting a root shell ($sudo bash) and set a password for the root user. This results in slightly schizophrenic behaviour from the system whenever a “system change” is about to be authorized – sometimes it asks me for my regular user’s password (which, since I gave root a password fails – some funky Ubuntu magic must have removed my user account from the sudoers file, no matter, I re-authorise myself as a sudoer – and uses sudo to then run whatever it needs as root) and other times it’s honest and asks me for the root password. Bet this would all be extremely confusing for a new user. Of course a new user would not need to setup a root password, I hear you say. Perhaps you’re right.
Then comes the ugly realisation that my home directory is readable by the entire (local system) world. Whaddya mean drwxr-xr-x ? Is there *any* reason for this? How have GNU/Linux distributions done *without* world-readable home directories for ages? When a security-inhibiting decision is made on my behalf (that I cannot comprehend), I get frustrated.
Then comes software. Using the “Ubuntu Software Centre” I search for “truecrypt”, find only two graphical front-ends (“Easy Crypt” and “GDecrypt”), try installing “Easy Crypt” and am told that “This action would require the installation of packages from unauthenticated sources.” Oh my, I certainly wouldn’t want that, so I look into the “details” expandable box and I get the following useful information:
Yep, just that. One word. Fantastic. So I either have to Google for a workaround, or give this interface the toss and not bother. I decide to do the latter as I’ve already spent too much time troubleshooting why Skype 18.104.22.168-1ubuntu5 (which *is* available via the official Ubuntu repositories) crashes every time I have an incoming call. (I haven’t figured it out, by the way. I suspect the problems of the year 2000 are still with us in 2010, so it must be the sound server’s fault…)
Moving on, I explore Ubuntu One – a fantastic idea by any other name would be just as sweet – 2GB worth of online storage for stuff in your home directory. Great! Alas, it turns out it’s all stored unencrypted *unless* you use an encrypted home directory, which I just undid – argh! Why, oh why, does one need home directory encryption to enable online secure storage? This strongly hints that Canonical is taking the big vendor approach of providing one model in which everything works (mostly) fine and interoperates seamlessly, and you’re screwed if you choose a separate model (e.g. full disk encryption vs home directory encryption). But I’ll do it. I’ll re-encrypt my home directory because they have done it so easy that it’s really not rocket science, at least for an old Linux user like myself. For newbies, the advice is “stick to defaults and don’t you dare budge!” – which doesn’t ring like the Linux I knew.
In the mean time, I am rather impressed that a week has passed and there hasn’t been a single security vulnerability fixed and thus no notification to install critical security updates. So I check manually, and – oh la la! – there’s 41 of them! What happened there? Why no notification icon? Even default settings didn’t work in this case and I’m getting more and more pissed off as I lose trust in the system.