[clug] Ubuntu encrypted file systems
David Tulloh
david at tulloh.id.au
Fri Aug 21 07:18:56 MDT 2009
Stephen Boyd wrote:
> On Fri, 2009-08-21 at 19:33 +1000, Daniel Pittman wrote:
>
>> So, I suspect that Stephen had LVM (with no encryption) and "Home
>> directory
>> encryption", which is based on eCryptfs (IIRC), enabled.
>>
>>
> I have a dm-crypt device mapper layer (encrypts all except the /boot
> partition plus ecryptfs of my /home directory.
>
> Why - I was trying things out.
>
> Which is better?
> Encrypting the whole disk is simple - everything is encrypted when the
> system is shutdown. It doesn't stop other legitimate users accessing
> your data. Good for a single user laptop.
> Encrypting your home directory protects it against other users of the
> system (if you lend laptop to someone else with a different login, they
> don't have the key to your data) but it doesn't protect data
> in /var, /tmp etc.
>
Not encrypting your swap (just doing /home or similar) causes security
issues. Your decryption key to whatever you have encrypted sits in ram
so that the disk can be encrypted/decrypted as needed.
You have to assume that swap contains a fully copy of your ram, this
copy is sitting on your hard disk in the clear and can be retrieved
months after you shut your laptop down and someone stole it from your
car. The structure of the data is known, a skilled attacker can
retrieve it and use it to decrypt your disk. The same goes for every
other temporary password you have saved on your computer.
David
More information about the linux
mailing list