Fedora Linux Support Community & Resources Center
  #1  
Old 18th February 2012, 05:30 PM
flash3780 Offline
Registered User
 
Join Date: May 2011
Location: Cincinnati, Ohio
Posts: 68
linuxfirefox
Encrypted User Directory?

Okay, so... my latest employer requires that laptops be encrypted so that their data doesn't end up in China or Mongolia or something. So... I'd like to both use my home laptop (F16) and comply with their security policy. However, I worry that encrypting the entire disk could slow lappy down.

Is it possible to create a user who's home directory is encrypted? I'm no encryption expert, but it seems doable. Essentially, I want to be sure that if the laptop is stolen, nobody can get to the company's data easily.

What I'd like to do is to create a seperate login for company work and I'd like the disk encryption to be integrated into a user's login. I'm wondering if someone could recommend some encryption software for this sort of thing. I'm thinking that LUKS, TrueCrypt or eCryptfs might do the trick... but I'm not entirely sure. Any ideas?

Last edited by flash3780; 18th February 2012 at 06:12 PM.
Reply With Quote
  #2  
Old 18th February 2012, 06:51 PM
Gareth Jones Offline
Official Gnome 3 Sales Rep. (and Adminstrator)
 
Join Date: Jul 2011
Location: Leamington Spa, UK
Age: 31
Posts: 2,750
linuxfirefox
Re: Encrypted User Directory?

The most secure way is probably to use LUKS/dm-crypt to encrypt a dedicated partition and mount it on /home/workuser. Or why not encrypt the whole /home partition to protect your personal files too?

Another option is to use ecryptfs. That's a virtual file system that encrypts a directory and everything below it transparently. The files appear on the backing file system as individual encrypted files. You can choose to have ecryptfs encrypt the file names too, but it sometimes chokes on long file names. Ecryptfs is slower than LUKS too.

Gareth
Reply With Quote
  #3  
Old 18th February 2012, 10:29 PM
flash3780 Offline
Registered User
 
Join Date: May 2011
Location: Cincinnati, Ohio
Posts: 68
linuxfirefox
Re: Encrypted User Directory?

Thanks, LUKS was what I was thinking as well. I'm a bit concerned about encrypting things that don't need to be encrypted though. Firstly, I imagine that it will slow everything down. Secondly, if the hard disk takes a dump and it's encrypted, I'd imagine that there's virtually no chance of getting any data which wasn't backed up back again.

So, I'm thinking that the best option is encrypting /home/workuser... but maybe I'm off base with my concerns. Anyhow, I'll use my google-fu now that I have a direction in which to google. Thanks!
Reply With Quote
  #4  
Old 19th February 2012, 12:38 AM
amturnip Offline
Registered User
 
Join Date: Jul 2007
Posts: 135
linuxfirefox
Re: Encrypted User Directory?

It is tough to do a side-by-side comparison, but I don't think the difference in speed, if any, is noticeable. I've put LUKS on an Atom-powered netbook and it ran no worse than before. The bottleneck ought to be the spinning of the disk anyway.

You can use LUKS without encrypting the operating-system files. You can organize the disk with, for example, / on a non-encrypted partition and /home, /tmp, and swap on an encrypted partition.
Reply With Quote
  #5  
Old 19th February 2012, 12:53 PM
zardoz Offline
Registered User
 
Join Date: May 2007
Posts: 22
linuxchrome
Re: Encrypted User Directory?

From a non-technical perspective, I'm very surprised that an employer that would require encryption, would ever allow you to use a personal laptop for company work. You might want to double check with them before you start on this exercise as you may be digging a hole for yourself.

The sort of sites I work on will not even allow a USB key on site, let alone a personal laptop. This would most likely result in you being arrested at gun point and escorted off site, and the items confiscated.

Z.

Caveat Emptor...
Reply With Quote
  #6  
Old 19th February 2012, 05:04 PM
Gareth Jones Offline
Official Gnome 3 Sales Rep. (and Adminstrator)
 
Join Date: Jul 2011
Location: Leamington Spa, UK
Age: 31
Posts: 2,750
linuxfirefox
Re: Encrypted User Directory?

Quote:
Originally Posted by amturnip View Post
It is tough to do a side-by-side comparison, but I don't think the difference in speed, if any, is noticeable.
I haven't noticed any performance hit with LUKS/dm-crypt, but I've never bothered to test it.

I found eCryptfs to be slow when dealing with large directories, probably because of the round-trip between the file manager, kernel, eCryptfsd, and kernel again. Only use it if you only want to encrypt a small amount of specific data. For those of us who regard encryption as being as fundamental as login passwords, it's not so useful.

Quote:
You can use LUKS without encrypting the operating-system files. You can organize the disk with, for example, / on a non-encrypted partition and /home, /tmp, and swap on an encrypted partition.
Yes, I only encrypt /home, /var, /tmp, and swap. Note that unless you encrypt swap, /tmp and /var, you risk secure data which is encrypted in its permanent storage being written to unencrypted volumes.

Gareth
Reply With Quote
  #7  
Old 19th February 2012, 01:33 PM
flash3780 Offline
Registered User
 
Join Date: May 2011
Location: Cincinnati, Ohio
Posts: 68
linuxfirefox
Re: Encrypted User Directory?

Meh... multinational conglomerate #1 allows you to use your personal computer at home, not necessarily at work. But yeah... they're a little overboard on security to say the least.That said, going a bit overboard is better than the alternative, and they do have some good security policies, too (like encrypting laptops). Anyhoo, it's probably a good thing to do regardless.
Reply With Quote
  #8  
Old 19th February 2012, 06:42 PM
flash3780 Offline
Registered User
 
Join Date: May 2011
Location: Cincinnati, Ohio
Posts: 68
linuxfirefox
Re: Encrypted User Directory?

Good call on encrypting /home, /var, and /tmp. I'm wavering on whether I should encrypt my personal files as well... if the performance hit is small, maybe I can live with it. Lappy does a lot of number-crunching, though... so I'm leery of slowing the old girl down.

I've done a bit of reading and LUKS sounds like it's a bit of a command line adventure... and I'd better be backing up everything before I start... so I'm waiting until I have an afternoon to revive lappy just in case this gives her an aneurysm.
Reply With Quote
  #9  
Old 19th February 2012, 08:56 PM
Gareth Jones Offline
Official Gnome 3 Sales Rep. (and Adminstrator)
 
Join Date: Jul 2011
Location: Leamington Spa, UK
Age: 31
Posts: 2,750
linuxfirefox
Re: Encrypted User Directory?

Quote:
Originally Posted by flash3780 View Post
I've done a bit of reading and LUKS sounds like it's a bit of a command line adventure
The dm-crypt command line is surprisingly straightforward, but the Fedora installer can create LUKS volumes graphically. I'm not sure if there are any other graphical front-ends that can do it though.

Gareth
Reply With Quote
  #10  
Old 21st February 2012, 04:04 PM
japafi Offline
Registered User
 
Join Date: Mar 2010
Posts: 87
linuxfirefox
Re: Encrypted User Directory?

I have everything encrypted, except /boot (because it can't be encrypted). If your computer starts swapping to encrypted swap partition, then your system will slow down a lot. Or perhaps I was unlucky when my started swap a lot.
On every day usage, with no or very slight swapping (less than 50 megs of swap file) the system is fast and fine.
I have Thinkpad T400 btw.
Reply With Quote
  #11  
Old 22nd February 2012, 04:33 AM
lensman3 Offline
Registered User
 
Join Date: Dec 2009
Location: Centennial, Colorado USA
Posts: 128
linuxchrome
Re: Encrypted User Directory?

I use Truecrypt.

I put down truecrypt first and then format it ext4 on top of the encrption. The truecrypt site tells how to do that way. I don't format it ext4 and then encrypt the file system. That way if the disk is stolen and put into another machine, the bytes on the disk look like noise and there is nothing that can tell anybody if the disk is ext4, ntfs or whatever. The disk has to be decrypted to see the file system.

It is a little clumsy to mount the disk under truecrypt read-only, and then do a fsck if you screw up the file system.

I use my encrypted disks for backup, so if my hardware is stolen they can't tell what is on the disk. Since the rainbow CDs now exist, make sure your pass-phrase is at least 15 characters. And since disks are so cheap you can hand border people the disk and walk away, since there would be no way for them to read the disk (unless you have a weak pass-phrase).
Reply With Quote
Reply

Tags
directory, encrypted, user

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Temp Directory for each User Nagglfar Using Fedora 1 6th March 2009 07:54 PM
advantages of encrypted home directory? Wiles Security and Privacy 0 3rd October 2007 05:32 PM
With vsftpd, how to set each virtual user to use a different directory & real user? Terence Servers & Networking 1 9th December 2005 05:10 AM
With vsftpd, how can each virtual user uses a different directory & real user? Terence Using Fedora 0 5th December 2005 09:27 AM
Is home/user the User html directory ? swiftsage Servers & Networking 7 15th July 2005 05:41 PM


Current GMT-time: 09:16 (Tuesday, 22-07-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat