Encrypted home directory

Tue Dec 23 14:15:06 UTC 2008

2008/12/23 Eric Christensen <eric at christensenplace.us>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Ralf Ertzinger wrote:
>> Hi.
>>
>> On Tue, 23 Dec 2008 10:30:31 +0200, Nikolay Vladimirov wrote:
>>
>>> Ok. I'm not really sure about this but I think that full disk
>>> encryption on a software level
>>> with a key storng enough will bring some performance loss. And some
>>> people just want
>>> some confidential files to be encrypted.
>>
>> I'm running full-LV encryption for /home (and some other directories) in
>> my laptop, and the performance loss is nonexistant for me. Getting the
>> bits off the rotating rust takes quite longer then decrypting them.
>>
>> After all, all the cores in that thing have to be good for something.
>>
>> (Core Duo, 1.6GHz)
>>
> I've been running full disk encryption via LUKS since F8 with a 6 year
> old laptop.  I don't see any noticeable performance loss.
>
> Just to comment on the whole disk versus just a folder in the /home,
> Windows did the same thing a number of years ago on XP (and since I
> believe but I don't know).  You could select a folder and "encrypt" it.
>  The crypto implementation was horrible and when people actually used it
> they never realized that they weren't getting ALL the sensitive data
> encrypted.  There will always be a cache or tmp file laying around in
> the clear that will contain sensitive information.
>
> The DoD didn't like the use of the folder level encryption and has sense
> mandated full disk encryption for all portable devices.  It saves the
> user from trying to figure out what is sensitive and what needs to be
> encrypted and breaking their storage schema just to put a specific file
> into a specific folder.  The user will ALWAYS miss something and will
> ALWAYS be left vulnerable.
>
> Thanks,
> Eric Christensen
> E-Mail: sparks at fedoraproject.org
> GPG Key: D74908ED
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAklQ3JYACgkQL5V8yddJCO15uwCeP5YxqNlEwleCzl824t70Slq6
> 8/oAn1wwTK4AkWaYHje5PjCzYvn7JVHe
> =VI4A
> -----END PGP SIGNATURE-----
>

That seems reasonable. I really see two good paths to this data security thing:
1) Some hardware level encryption. Like in my thingpad I have some
trusted something thingie
and another hard drive security thing. This way there will be no
software complications.
2) Encrypted /home since all of the user's sensitive data should be there.

 It's good to have some notice like "Full disk encryption is more
secure" and "Note that some cache saved outside of the /home dir may
be visible ( swap, /tmp, stuff)" and "Using some BIOS setting stuff is
more secure".
Some benchmarks of encrypted stuff vs non encrypted will be nice to
know for sure about the performance loss.
And some info in the installation media about this stuff maybe taken
from "Security Guide" in the wiki will be nice.

Note: I'm not very competent in this whole encryption stuff. I'm just
offering some user point of view on this.

-- 
NV