[clug] Ubuntu encrypted file systems

Daniel Pittman daniel at rimspace.net
Fri Aug 21 03:33:28 MDT 2009

Ian McLeod <ianmcleod75 at gmail.com> writes:

> Is just LVM encryption secure enough for day to day use?

LVM doesn't do encryption, as such.  Device Mapper, which also underlies LVM,
has an encryption module that can be used with cryptsetup to drive either a
LUKS or plain encrypted block device.

So, I suspect that Stephen had LVM (with no encryption) and "Home directory
encryption", which is based on eCryptfs (IIRC), enabled.

> What's the advantage of also encrypting /home?

None.  You can actually lose theoretical security, since if someone can
identify content inside the encrypted space, and you have double-encryption,
it can leak information out.[1]

> I thought the idea was to encrypt /home.
> Stephen Boyd wrote:
>> On Tue, 2009-08-18 at 23:09 +1000, Jim Croft wrote:
>>> is there a detectable/measurable performance hit with the encryption?
>> Not much, except where I have both the LVM and Home directory encryption
>> enabled. There is a noticeable lag when working on files in ~/ and I won't
>> use both again - just LVM. (I'm planning to re-install and put the 64 bit
>> version of karmic on that laptop as soon as it reaches beta).

For what it is worth, a LVM and LUKS based dmcrypt stack, on software RAID1,
has insignificant extra latency for me: performance is about the same as
sitting directly on the RAID1, in almost all cases.


[1]  ...though, really, this is in the realm of ultra-serious cryptanalysis,
     and it would cost /so/ much less for the government to just arrest you
     and beat you with a rubber hose until you give them the key that, well,
     if it matters you can look forward to a rubbery future...

✣ Daniel Pittman            ✉ daniel at rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons
   Looking for work?  Love Perl?  In Melbourne, Australia?  We are hiring.

More information about the linux mailing list