[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: making encrypted $HOME as easy and convenient as possible

On Sun, Sep 11, 2011 at 02:23:37PM +0100, Jon Dowland wrote:
> I think it would be wonderful to have such ease-of-use $HOME
> encryption in Debian.  Ubuntu's scheme uses ecryptfs.  Before I begin
> looking into how best I might help work towards this, I was wondering
> if experienced people could weigh in with advice on whether ecryptfs
> is likely to be the most sensible way to achieve the desired result,
> or is something else worthy of consideration?

Yes: full-disk encryption is better than homedir encryption.

The reason is that the idea that all your data resides in your $HOME is
a fallacy. Maybe you've got a database installed, which means you've got
significant gobs of data in /var. The actual packages you've got
installed on your machine will leak some information, too. Most
importantly, temporary files get written to your /tmp, and if that's a
mounted partition, anyone who knows how to retrieve removed files (which
really isn't all that hard) can get, say, the contents of most files
you've been editing over the last few days/weeks/months (depending on
free disk space).

You might think that the above is overly paranoid, but then why go
through the effort of encrypting at all if you're going to leave such
glaring holes in the system?

And guess what, Debian already supports installing with full-disk

The volume of a pizza of thickness a and radius z can be described by
the following formula:

pi zz a

Attachment: signature.asc
Description: Digital signature

Reply to: