You are viewing bgoglin

Brice Goglin's Blog - Encrypting part of /home

May. 2nd, 2010

14:23 - Encrypting part of /home

Previous Entry Add to Memories Share Next Entry

I am preparing my switch to a new laptop at work in the next weeks. I am considering adding encryption to part of the hard drive, but I don't want to dramatically decrease performance. Encrypting the swap device or some .foo directories in $HOME looks like a good idea to protect private keys, keyrings, ... But encrypting git clones of large projects is probably useless.

So I am thinking of just having a small /home encrypted partition (a couple GB). I'd keep .foo directories in $HOME and only have symlinks to another non-encrypted partition where all my actual source code and other non-sensitive files would be.

Does this make any sense?

(Permanent link

Comments:

From:(Anonymous)
Date:May 2nd, 2010 13:08 (UTC)

Cost of encrypting everything

(Link)
The question is whether the encryption performance penalty is large enough to bother with having an unencrypted part. Personally, I don't really miss much performance-wise (running some old sid/amd64 on an X60), so I don't regret just encrypting the whole thing.
From:bgoglin
Date:May 2nd, 2010 13:22 (UTC)

Re: Cost of encrypting everything

(Link)
Yes, the performance penalty may not be that bad, from what I see in
http://www.phoronix.com/scan.php?page=article&item=ubuntu_910_encryption&num=3

I'd like to see some benchmarks with things like git blame in a clone of the kernel git tree, or a kernel build. Those would probably be good examples of my most disk-intensive workloads.

Also I wonder if the AES instructions in latest i7 processors will help that (I will have a i7-620M).
From:juliank.wordpress.com
Date:May 2nd, 2010 13:54 (UTC)

Re: Cost of encrypting everything

(Link)
That uses eCryptfs.
From:(Anonymous)
Date:May 2nd, 2010 13:16 (UTC)

yes and no

(Link)
It does make sense until you realize that the encryption-induced overhead is negligible, except the massive I/O cases. Coupled with the fact that you need an encrypted swap partition too, you end up with multiple encrypted partitions anyway.

Myself, I have used for the last 2.5 years a LUKS-formatted LVM holding everything except /boot. The only times I saw CPU usage going up were after boot and after waking from hibernation. Even on my low-grade laptop the bottleneck is most of the time the disk, not the CPU.

So, it makes some sense, but I'd say it's not worth the trouble.
From:(Anonymous)
Date:May 2nd, 2010 13:35 (UTC)

Just don't forget encrypted swap.

(Link)
The disk encryption is worthless if what you are trying to protect gets swaped and the swap partition isn't encrypted. The degree of truth in this depends on how paranoid you want to be.
From:bgoglin
Date:May 2nd, 2010 13:49 (UTC)

Re: Just don't forget encrypted swap.

(Link)
Yeah, I'll encrypt swap for sure.
From:juliank.wordpress.com
Date:May 2nd, 2010 13:49 (UTC)

Why not try eCryptfs?

(Link)

You can also use eCryptfs to encrypt a directory using what they call "Stacked Filesystem Encryption". This might make more sense in some context and might also perform better, though I have not really checked this.

Install ecryptfs-utils and run

$ ecryptfs-setup-private -a

as the user. This will encrypt your home directory and from now on, it will be automatically mounted and decrypted on login; and unmounted when you logout. The encryption key is based on your login password and libpam takes care of notifying ecryptfs to mount the directory.

If you just want to have an encrypted ~/Private, you could just run:

$ ecryptfs-setup-private

That is, without the -a.

From:(Anonymous)
Date:May 2nd, 2010 14:34 (UTC)
(Link)
It doesn't make sense, because private keys and keyrings should be already encrypted by gpg and will never be swapped out due to mlock(). IOW, based on what you listed, you don't really have unencrypted confidential data.
From:bgoglin
Date:May 2nd, 2010 15:27 (UTC)
(Link)
Maybe my examples weren't good examples :)

It's not easy to be sure that you have nothing confidential on your machine. There are often dozens of identifiers and passwds in the browser config files or in your mail client cache for instance. Unless you really know everything you're doing, encrypting everything is a good way to make sure nothing confidential leaked when your machine got stolen.
From:(Anonymous)
Date:May 2nd, 2010 18:06 (UTC)

ecryptfs seems to be what you want

(Link)
there is a nice article about ecryptfs that might help you
http://sunoano.name/ws/public_xhtml/debian_security.html#filesystem-level_encryption