[clug] Ubuntu encrypted file systems

David Tulloh david at tulloh.id.au
Fri Aug 21 07:18:56 MDT 2009


Stephen Boyd wrote:
> On Fri, 2009-08-21 at 19:33 +1000, Daniel Pittman wrote:
>   
>> So, I suspect that Stephen had LVM (with no encryption) and "Home
>> directory
>> encryption", which is based on eCryptfs (IIRC), enabled.
>>
>>     
> I have a dm-crypt device mapper layer (encrypts all except the /boot
> partition plus ecryptfs of my /home directory.
>
> Why - I was trying things out.
>
> Which is better?
> Encrypting the whole disk is simple - everything is encrypted when the
> system is shutdown. It doesn't stop other legitimate users accessing
> your data. Good for a single user laptop.
> Encrypting your home directory protects it against other users of the
> system (if you lend laptop to someone else with a different login, they
> don't have the key to your data) but it doesn't protect data
> in /var, /tmp etc.
>   
Not encrypting your swap (just doing /home or similar) causes security 
issues.  Your decryption key to whatever you have encrypted sits in ram 
so that the disk can be encrypted/decrypted as needed.

You have to assume that swap contains a fully copy of your ram, this 
copy is sitting on your hard disk in the clear and can be retrieved 
months after you shut your laptop down and someone stole it from your 
car.  The structure of the data is known, a skilled attacker can 
retrieve it and use it to decrypt your disk.  The same goes for every 
other temporary password you have saved on your computer.


David


More information about the linux mailing list