Encrypted User Directory?

flash3780 · #1 18th February 2012, 05:30 PM

Okay, so... my latest employer requires that laptops be encrypted so that their data doesn't end up in China or Mongolia or something. So... I'd like to both use my home laptop (F16) and comply with their security policy. However, I worry that encrypting the entire disk could slow lappy down.

Is it possible to create a user who's home directory is encrypted? I'm no encryption expert, but it seems doable. Essentially, I want to be sure that if the laptop is stolen, nobody can get to the company's data easily.

What I'd like to do is to create a seperate login for company work and I'd like the disk encryption to be integrated into a user's login. I'm wondering if someone could recommend some encryption software for this sort of thing. I'm thinking that LUKS, TrueCrypt or eCryptfs might do the trick... but I'm not entirely sure. Any ideas?

***Gareth Jones*** · #2 18th February 2012, 06:51 PM

The most secure way is probably to use LUKS/dm-crypt to encrypt a dedicated partition and mount it on /home/workuser. Or why not encrypt the whole /home partition to protect your personal files too?

Another option is to use ecryptfs. That's a virtual file system that encrypts a directory and everything below it transparently. The files appear on the backing file system as individual encrypted files. You can choose to have ecryptfs encrypt the file names too, but it sometimes chokes on long file names. Ecryptfs is slower than LUKS too.

Gareth

flash3780 · #3 18th February 2012, 10:29 PM

Thanks, LUKS was what I was thinking as well. I'm a bit concerned about encrypting things that don't need to be encrypted though. Firstly, I imagine that it will slow everything down. Secondly, if the hard disk takes a dump and it's encrypted, I'd imagine that there's virtually no chance of getting any data which wasn't backed up back again.

So, I'm thinking that the best option is encrypting /home/workuser... but maybe I'm off base with my concerns. Anyhow, I'll use my google-fu now that I have a direction in which to google. Thanks!

amturnip · #4 19th February 2012, 12:38 AM

It is tough to do a side-by-side comparison, but I don't think the difference in speed, if any, is noticeable. I've put LUKS on an Atom-powered netbook and it ran no worse than before. The bottleneck ought to be the spinning of the disk anyway.

You can use LUKS without encrypting the operating-system files. You can organize the disk with, for example, / on a non-encrypted partition and /home, /tmp, and swap on an encrypted partition.

zardoz · #5 19th February 2012, 12:53 PM

From a non-technical perspective, I'm very surprised that an employer that would require encryption, would ever allow you to use a personal laptop for company work. You might want to double check with them before you start on this exercise as you may be digging a hole for yourself.

The sort of sites I work on will not even allow a USB key on site, let alone a personal laptop. This would most likely result in you being arrested at gun point and escorted off site, and the items confiscated.

Z.

Caveat Emptor...

***Gareth Jones*** · #6 19th February 2012, 05:04 PM

Quote:

Originally Posted by amturnip

It is tough to do a side-by-side comparison, but I don't think the difference in speed, if any, is noticeable.

I haven't noticed any performance hit with LUKS/dm-crypt, but I've never bothered to test it.

I found eCryptfs to be slow when dealing with large directories, probably because of the round-trip between the file manager, kernel, eCryptfsd, and kernel again. Only use it if you only want to encrypt a small amount of specific data. For those of us who regard encryption as being as fundamental as login passwords, it's not so useful.

Quote:

You can use LUKS without encrypting the operating-system files. You can organize the disk with, for example, / on a non-encrypted partition and /home, /tmp, and swap on an encrypted partition.

Yes, I only encrypt /home, /var, /tmp, and swap. Note that unless you encrypt swap, /tmp and /var, you risk secure data which is encrypted in its permanent storage being written to unencrypted volumes.

Gareth

flash3780 · #7 19th February 2012, 01:33 PM

Meh... multinational conglomerate #1 allows you to use your personal computer at home, not necessarily at work. But yeah... they're a little overboard on security to say the least.That said, going a bit overboard is better than the alternative, and they do have some good security policies, too (like encrypting laptops). Anyhoo, it's probably a good thing to do regardless.

flash3780 · #8 19th February 2012, 06:42 PM

Good call on encrypting /home, /var, and /tmp. I'm wavering on whether I should encrypt my personal files as well... if the performance hit is small, maybe I can live with it. Lappy does a lot of number-crunching, though... so I'm leery of slowing the old girl down.

I've done a bit of reading and LUKS sounds like it's a bit of a command line adventure... and I'd better be backing up everything before I start... so I'm waiting until I have an afternoon to revive lappy just in case this gives her an aneurysm.

***Gareth Jones*** · #9 19th February 2012, 08:56 PM

Quote:

Originally Posted by flash3780

I've done a bit of reading and LUKS sounds like it's a bit of a command line adventure

The dm-crypt command line is surprisingly straightforward, but the Fedora installer can create LUKS volumes graphically. I'm not sure if there are any other graphical front-ends that can do it though.

Gareth

japafi · #10 21st February 2012, 04:04 PM

I have everything encrypted, except /boot (because it can't be encrypted). If your computer starts swapping to encrypted swap partition, then your system will slow down a lot. Or perhaps I was unlucky when my started swap a lot.
On every day usage, with no or very slight swapping (less than 50 megs of swap file) the system is fast and fine.
I have Thinkpad T400 btw.

lensman3 · #11 22nd February 2012, 04:33 AM

I use Truecrypt.

I put down truecrypt first and then format it ext4 on top of the encrption. The truecrypt site tells how to do that way. I don't format it ext4 and then encrypt the file system. That way if the disk is stolen and put into another machine, the bytes on the disk look like noise and there is nothing that can tell anybody if the disk is ext4, ntfs or whatever. The disk has to be decrypted to see the file system.

It is a little clumsy to mount the disk under truecrypt read-only, and then do a fsck if you screw up the file system.

I use my encrypted disks for backup, so if my hardware is stolen they can't tell what is on the disk. Since the rainbow CDs now exist, make sure your pass-phrase is at least 15 characters. And since disks are so cheap you can hand border people the disk and walk away, since there would be no way for them to read the disk (unless you have a weak pass-phrase).