Encrypted home directory

Mike mike.cloaked at gmail.com
Tue Dec 23 20:58:43 UTC 2008 

Mail Lists <lists <at> sapience.com> writes:

>   Remember also /tmp, /var/tmp and swap - where much a lovely secret can
> be found!
> 
>   I encrypt /home and /swap and I bind mount /tmp and /var/tmp from
> /home/tmp and /home/var/tmp for completeness. If you run certain
> services you may want to bind mount /var out of the encrypted partition
> as well.

Exactly so - I was running F9 on one machine using pretty much this scheme as a
test. Performance loss is hardly noticable, and security very much enhanced.

One thing that did frustrate me was that I ran the encryption from the install
but an option to keep the passphrase the same for the root and /opt partitions
was not available. It would be nice if the machine would boot up and request the
luks passphrase for the root partition but that the passphrase for the other
encrypted partitions was then stored on the root partition avoiding the need to
enter a passphrase twice. I have not tried the standard encrypted install on F10
yet so I don't know if such niceties have already been implemented?

Equally I had to manually change the system to put the swap partition passphrase
somewhere and not have it requested at boot time - which would have made for
three passphrase requests during boot!

One other issue with fully encrypted systems is that when updating to the next
version of Fedora the new DVD iso cannot be stored on the HD unless it is placed
in /boot unencrypted and sufficiently large to hold it. If not then presumably a
hard drive install cannot read the iso from an encrypted partition?

However given the number of laptop thefts in the news in the UK, and the bad
publicity that the availability of tens of millions of personal details
including passport numbers, bank account details etc can be easily obtained by
criminals from such stolen laptops is something worth protecting in encrypted
systems. Additionally to encrypting the filesystems easy creation (and
decryption with suitable passphrase) of encrypted usbkeys and CD/DVD would be
very nice to have available.

I have tested creating encrypted usbkeys in F9 and this worked well. CD
decryption for luks encrypted CDs was a little awkward in F9 - I don't know if
this is much different in F10?

More information about the fedora-devel-list mailing list