[clug] Ubuntu encrypted file systems
david at tulloh.id.au
Fri Aug 21 07:28:24 MDT 2009
David Tulloh wrote:
> Stephen Boyd wrote:
>> On Fri, 2009-08-21 at 19:33 +1000, Daniel Pittman wrote:
>>> So, I suspect that Stephen had LVM (with no encryption) and "Home
>>> encryption", which is based on eCryptfs (IIRC), enabled.
>> I have a dm-crypt device mapper layer (encrypts all except the /boot
>> partition plus ecryptfs of my /home directory.
>> Why - I was trying things out.
>> Which is better?
>> Encrypting the whole disk is simple - everything is encrypted when the
>> system is shutdown. It doesn't stop other legitimate users accessing
>> your data. Good for a single user laptop.
>> Encrypting your home directory protects it against other users of the
>> system (if you lend laptop to someone else with a different login, they
>> don't have the key to your data) but it doesn't protect data
>> in /var, /tmp etc.
> Not encrypting your swap (just doing /home or similar) causes security
> issues. Your decryption key to whatever you have encrypted sits in
> ram so that the disk can be encrypted/decrypted as needed.
> You have to assume that swap contains a fully copy of your ram, this
> copy is sitting on your hard disk in the clear and can be retrieved
> months after you shut your laptop down and someone stole it from your
> car. The structure of the data is known, a skilled attacker can
> retrieve it and use it to decrypt your disk. The same goes for every
> other temporary password you have saved on your computer.
Argh, my bad. On further reading kernel reading is never swapped so
your disk decryption key would be safe*.
Your email password, ssh keys and open files are still accessible though.
* - This is my new belief, I'm not a kernel guy and I'm just flailing
wildly through the documentation and source code making assumptions.
That is to say I may be wrong (again).
More information about the linux