[clug] Ubuntu encrypted file systems

David Tulloh david at tulloh.id.au
Fri Aug 21 07:28:24 MDT 2009

David Tulloh wrote:
> Stephen Boyd wrote:
>> On Fri, 2009-08-21 at 19:33 +1000, Daniel Pittman wrote:
>>> So, I suspect that Stephen had LVM (with no encryption) and "Home
>>> directory
>>> encryption", which is based on eCryptfs (IIRC), enabled.
>> I have a dm-crypt device mapper layer (encrypts all except the /boot
>> partition plus ecryptfs of my /home directory.
>> Why - I was trying things out.
>> Which is better?
>> Encrypting the whole disk is simple - everything is encrypted when the
>> system is shutdown. It doesn't stop other legitimate users accessing
>> your data. Good for a single user laptop.
>> Encrypting your home directory protects it against other users of the
>> system (if you lend laptop to someone else with a different login, they
>> don't have the key to your data) but it doesn't protect data
>> in /var, /tmp etc.
> Not encrypting your swap (just doing /home or similar) causes security 
> issues.  Your decryption key to whatever you have encrypted sits in 
> ram so that the disk can be encrypted/decrypted as needed.
> You have to assume that swap contains a fully copy of your ram, this 
> copy is sitting on your hard disk in the clear and can be retrieved 
> months after you shut your laptop down and someone stole it from your 
> car.  The structure of the data is known, a skilled attacker can 
> retrieve it and use it to decrypt your disk.  The same goes for every 
> other temporary password you have saved on your computer.
Argh, my bad.  On further reading kernel reading is never swapped so 
your disk decryption key would be safe*.
Your email password, ssh keys and open files are still accessible though.


* - This is my new belief, I'm not a kernel guy and I'm just flailing 
wildly through the documentation and source code making assumptions.  
That is to say I may be wrong (again).

More information about the linux mailing list