This is a proposal for designing security on the desktop. This is in response to GNOME‘s privacy fundraiser, and will hopefully provide some ideas for how parts of this can be accomplished without breaking the user experience.
For a single-user system, having a login screen just presents a barrier and time delay, this is not good design. It is also common to allow friends etc. to use your laptop, but it should still be secure from their snooping while they use it. I hope we can agree then, that auto-login for a single-user system is a good idea, or atleast agree that it is a common use case. Now, this obviously eliminates full-disk encryption and home partition encryption. Currently, there is little protection for an auto-login user, and I think it’s time to change this.
You’ll see how I’ve achieved a good level of security on my system by looking at the tutorial posts on this blog, and here I will analyse them and discuss what needs to be changed to provide a great design integrated into the system.
The first example we’ll look at, is encrypting folders. It is likely that there are some files on your machine you don’t want other people to have access to. I’ve created what I can using a simple plugin for Nautilus, as described here. This extension allows a folder to be right-clicked and encrypted. When right-clicking an encrypted folder, it can be mounted. This uses the gnome-keyring to save a random password, allowing it to be unmounted without question if the keyring has already been unlocked.
Things done right
- Using the keyring to automatically decrypt it.
- Simple, right-click menu item to encrypt a folder.
Things done wrong
- Opening an encrypted folder shows the encrypted contents.
- Mounting the folder places the decrypted contents in another folder using a different name.
What needs to be improved
The feature should be integrated into Nautilus so that when attempting to open an encrypted folder, it is automatically decrypted using the keyring, and it should be decrypted in place, so the encrypted contents are displayed in the same folder. In other words, if the keyring has been unlocked, an encrypted folder would appear and act exactly like a normal folder.
This would eliminate the right-click menu item to mount folders, and also reduce the right-click encrypt item to a simple confirmation dialog.
Other things to consider
What if a program tries to access the contents of the folder, or the user tries to access the folder through CLI? Can we have this at a lower level than Nautilus, which will mount regardless of how it is accessed?
My other proposal is to have a simple way to encrypt applications. I’ve outlined the method I’ve used to encrypt Firefox here. This encrypts my Firefox data, and will only allow Firefox to start if my keyring is unlocked.
Things done right
The result is completely seamless, and is exactly the experience I want to achieve.
Things to be improved
The method to achieve this seems a little hacky, and could perhaps be improved.
Setting up the encryption is not a nice interface. I would like to see a settings page which listed supported programs, and allows you to encrypt applications with a click of a button. There should be a way for programs to be added to this list automatically, by simple giving information on where sensitive user data is stored, in order to be encrypted.
Another thing I wanted to mention, is that for an auto-login account like this, multi-keyring support needs to be improved.
For my laptop, I have a passwordless keyring to handle network authentication and anything else that should be used upon logging in without prompting me. I then have a normal keyring to handle the things I actually want to keep secure.
To improve this experience:
- In Seahorse, it should be possible to drag passwords between keyrings.
- When saving a new password to a keyring, it should give an option in the prompt to specify which keyring it is added to.
Hopefully this gives some ideas on how we can improve security without breaking up the user experience. With these proposals, the user will only ever have to enter their password to unlock the keyring once per session, this is the only point where the security will be noticed in the daily use of the system.
This should also provide a modular approach to security, where the user can decide exactly what they want protected. For example, I have Firefox encrypted and a few folders. I am happy to lend my laptop to a friend, and they can browse the internet using Web, look through my Documents (which I have backed up, so meddling isn’t a real concern), or any other task that’s not blocked by security measures.