Encryption Key Backup & Recovery UX
Backup
In the homed paradigm it is incredibly important for the recovery key of the system to be backed up, or saved by the system administrator. A secondary priority is having users also save their recovery hey
System Key
At some point before user data is populated on the system, GNOME initial setup needs to present the system's recovery key to the initial administrator during encryption phase.
- this is significantly more important than user key since without it you could be locked out permanently so that needs to be stressed in the UI
User Key
Users' data gets encrypted when they set-up their user account and provide a password, at this stage it is important that they get presented with their recovery key as well and be prompted to either write down, save to a file or to another device for use as recovery. It will be important to instill some good habits for saving the recovery key here.
- being cognizant that users may not be inclined to the best security habits
- "write it on a piece of paper" is insufficient
- per-user keys need managed
Recovery
Equally important is the recovery process.
System Recovery
Due to some external change, the main system may need decrypting at boot time. This scenario could occur as easily as when the TPM changes in a dual boot situation when the other operating system makes a firmware change, requiring the disk to be decrypted once again on boot. In this case we need the user to have backed up their key in an external fashion so they can input it at this point.
- big problem if the key is not saved externally
- if the key is lost, it is the worse case scenario, and you'll be locked out of the system.
User Recovery
They have forgot their password i.e. they have no way to login/decrypt their home data. Here, the user may need their recovery key to get access to their data back.
- store the user keys in the system space so they can ask an admin to decrypt?
- part of a "I forgot my password" process on the login screen
- integration with some online account?
Considerations
- the key will be a long string, getting users to save it accurately will be important
- decryption is part of the process of transferring hardware into a new system
- saving multiple keys during initial setup is not great UX