I've been running my laptop with the encrypted home directory, as I mentioned in my previous entry, for the better part of a week now. So far, I really haven't even noticed that the encryption is there. Read on for more about the encrypted home directory.
The encryption hook I made in the modules directory is working great. It happens so early in the startup process that the normal file-system check process can run as normal. I haven't had many opportunities to use it, but have had one -- after my laptop locked up on Monday.
I haven't noticed the extra overhead at all. I'm running a Pentium M 1.8GHz, so it has a fair amount of CPU resources on this box anyway, and I don't really hit the CPU that hard in general use. I can't say that during a week of normal use, that I've even once noticed performance issues.
To keep my data inaccessible from the console, I've set up the system so that when I suspend, or when I close my laptop, it locks the console. This was done by setting up the ACPI scripts for both suspend and the lid button do run dcop to tell KDE to lock the console:
avail_sessions=`dcop --all-users --list-sessions | grep '.DCOP.*__0'` for session in $avail_sessions; do dcop --session "$session" --all-users kdesktop KScreensaverIface lock > /dev/null 2>&1 done
One question that's come up a few times has been how I expect to backup my home directory. My backup is running exactly as I always have. When it's mounted, I just do an rsync to my backup server. I'm not concerned about every copy of my data being encrypted. I'm more concerned about my laptop being stolen and it's data being compromised. The ultra-sensitive stuff is encrypted using gpg, even on the encrypted file-system.
My next plan is to convert our backup server to also encrypt the backups, so that I don't have to worry about the backup server getting stolen. Based on what I've seen with my encrypted home directory, that should be easy to set up and performance shouldn't be an issue at all.
As far as encrypting my root partition... There's very little data on that partition, and almost none of it is sensitive. It does have a key that would allow access to our VPN, but obviously that would get revoked pretty quickly if my laptop were to go missing, and it doesn't really provide much in the way of escalated privileges.
So far, I've been extremely happy with the encrypted home-directory.comments powered by Disqus