[clug] Ubuntu encrypted file systems

Daniel Pittman daniel at rimspace.net
Fri Aug 21 19:35:05 MDT 2009 

David Tulloh <david at tulloh.id.au> writes:
> Stephen Boyd wrote:
>> On Fri, 2009-08-21 at 19:33 +1000, Daniel Pittman wrote:
>>
>>> So, I suspect that Stephen had LVM (with no encryption) and "Home
>>> directory encryption", which is based on eCryptfs (IIRC), enabled.

[...]

>> Which is better?
>> Encrypting the whole disk is simple - everything is encrypted when the
>> system is shutdown. It doesn't stop other legitimate users accessing
>> your data. Good for a single user laptop.

Personally, I am quite happy with the level of protection that normal Unix
permissions provide for cross-account legitimate users.  This does require
some attention to privilege escalation attacks, but otherwise you can rely on
keeping your home directory private keeping it, um, private. :)

>> Encrypting your home directory protects it against other users of the
>> system (if you lend laptop to someone else with a different login, they
>> don't have the key to your data) but it doesn't protect data
>> in /var, /tmp etc.
>
> Not encrypting your swap (just doing /home or similar) causes security
> issues.  Your decryption key to whatever you have encrypted sits in ram so
> that the disk can be encrypted/decrypted as needed.

As you noted, this varies depending on which key you mean, but *MOST* of the
interesting stuff isn't the encryption key, but rather the data it protects.
That isn't kept away from swap.

> You have to assume that swap contains a fully copy of your ram, this copy is
> sitting on your hard disk in the clear and can be retrieved months after you
> shut your laptop down and someone stole it from your car.  The structure of
> the data is known, a skilled attacker can retrieve it and use it to decrypt
> your disk.

It doesn't take that much skill, honestly.  strings(1) will get a reasonable
proportion of the data back, and various tools for extracting more structured
information also exist.


The important question is your threat model: what data do you have on your
disk that is worth the effort of being physically present while breaking the
law, but not worth just picking you up and shaking you until the password
falls out?

Unless you routinely hold valuable information your real threat is casual
snooping, where almost any protection is sufficient: the attacker boots the
machine, finds they can't log in, or bypass the Windows password easily, and
then will reformat the disk to install something they can control.


For that threat model, whole disk encryption is substantially better
protection than home-directory encryption, but either is probably sufficient
to protect against most realistic attacks.

Regards,
        Daniel
-- 
✣ Daniel Pittman            ✉ daniel at rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons
   Looking for work?  Love Perl?  In Melbourne, Australia?  We are hiring.

More information about the linux mailing list