Early impressions about encrypted home. (tummy.com, ltd. Journal Entry)
tummy.com: we do linux
Search: Google
Web www.tummy.com

Thursday March 30, 2006 at 21:47
Subject: Early impressions about encrypted home.
Keywords: Encryption, Linux, Technical
Posted by: Sean Reifschneider

Related entries:
   Encrypted file-systems. by Sean Reifschneider, Sunday March 26, 2006 at 22:31
    2 Weeks of Encrypted Filesystem by Sean Reifschneider, Sunday April 09, 2006 at 20:28
    Setting Up Encrypted root Partition on Fedora 7. by Sean Reifschneider, Sunday August 26, 2007 at 01:37
    Recipe for setting up Encrypted root+swap on Fedora 8. by Sean Reifschneider, Saturday November 24, 2007 at 15:37

I've been running my laptop with the encrypted home directory, as I mentioned in my previous entry, for the better part of a week now. So far, I really haven't even noticed that the encryption is there. Read on for more about the encrypted home directory.

The encryption hook I made in the modules directory is working great. It happens so early in the startup process that the normal file-system check process can run as normal. I haven't had many opportunities to use it, but have had one -- after my laptop locked up on Monday.

I haven't noticed the extra overhead at all. I'm running a Pentium M 1.8GHz, so it has a fair amount of CPU resources on this box anyway, and I don't really hit the CPU that hard in general use. I can't say that during a week of normal use, that I've even once noticed performance issues.

To keep my data inaccessible from the console, I've set up the system so that when I suspend, or when I close my laptop, it locks the console. This was done by setting up the ACPI scripts for both suspend and the lid button do run dcop to tell KDE to lock the console: 

avail_sessions=`dcop --all-users --list-sessions | grep '.DCOP.*__0'`
for session in $avail_sessions; do
   dcop --session "$session" --all-users kdesktop KScreensaverIface lock > /dev/null 2>&1
done

One question that's come up a few times has been how I expect to backup my home directory. My backup is running exactly as I always have. When it's mounted, I just do an rsync to my backup server. I'm not concerned about every copy of my data being encrypted. I'm more concerned about my laptop being stolen and it's data being compromised. The ultra-sensitive stuff is encrypted using gpg, even on the encrypted file-system.

My next plan is to convert our backup server to also encrypt the backups, so that I don't have to worry about the backup server getting stolen. Based on what I've seen with my encrypted home directory, that should be easy to set up and performance shouldn't be an issue at all.

As far as encrypting my root partition... There's very little data on that partition, and almost none of it is sensitive. It does have a key that would allow access to our VPN, but obviously that would get revoked pretty quickly if my laptop were to go missing, and it doesn't really provide much in the way of escalated privileges.

So far, I've been extremely happy with the encrypted home-directory.
(Post Reply)

All trademarks and copyrights on this page are owned by their respective owners. Submitted content is owned by the Poster. The Rest © 1995-2010, www.tummy.com
Privacy Policy