[NCLUG] Encrypted Filesystems?

Chad Perrin perrin at apotheon.com
Sun Apr 15 11:46:25 MDT 2007 

On Sat, Apr 14, 2007 at 11:34:31PM -0600, Bob Proulx wrote:
> I am starting to play around with encrypted filesystems on a laptop.
> It seems like the obvious thing to do.  Then if it is lost or stolen
> the data is not exposed.
> 
> The simplest thing seems to be to create an encrypted physical volume
> and then use lvm on top of that.  Create a swap and root volume out of
> it and just have everything encrypted.  However then there is a
> performance penalty for everything.  (I don't know how that would
> affect playing video from disk for example.)
> 
> So of course I considered just an encrypted /home.  But I have a lot
> of source code that I normally keep in my home directory and building
> source there would seem to be a waste of cpu cycles.  I could link of
> of it I suppose.
> 
> So of course I thought about an additional filesystem that would be
> encrypted such as /mnt/encrypted.  I could just keep anything that I
> felt was important there.  But that is also a pain.
> 
> So of course I thought about simply encrypting the entire filesystem,
> and came full circle.
> 
> Being gripped by "analysis paralysis" I thought I would ask if other
> had given this very much thought?  And if so what they had decided to
> do on their laptop systems?

I'm not sure whether what you're saying indicates you've thought of this
or not, so I'll ask:

Have you considered creating a /mnt/encrypted (or wherever you want it)
filesystem, then creating a symlink to it in your home directory for
easy and effectively transparent access?

There's something else to consider in encrypting filesystems that
contain important data:

Do you have a reliable means of recovering your data if something goes
wrong with your encrypted filesystem?  Since you're talking about using
an encrypted filesystem on a laptop in case of theft, I tend to assume
you don't feel a need to encrypt the same data at home.  If that's the
case, a simple backup/sync when you attach to your home network on an
unencrypted volume, in case your laptop *is* stolen and you still need
access to the data, might be a good idea.  Of course, you could encrypt
it at home as well, and use the same key/authorization/whatever to
decrypt (depending on your encryption implementation), but if you don't
have to have it encrypted everywhere it might be a good idea to have
it stored in unencrypted form *somewhere* in case you lose the key you
need to unlock it.

This, by the way, is one of the reasons I don't trust proprietary
filesystem encryption: it's too easy for something entirely beyond my
control (but effectively in the vendor's control) to lock me out of my
own data.

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
"It's just incredible that a trillion-synapse computer could actually
spend Saturday afternoon watching a football game." - Marvin Minsky

More information about the NCLUG mailing list