On the road again: Encryption

NoOp glgxg at sbcglobal.net
Fri Feb 24 00:20:17 UTC 2012 

On 02/22/2012 12:16 PM, Kaj Haulrich wrote:
> On 02/22/2012 07:45 PM, Christopher A. Lindsey wrote:
>> Hello to list!
>>
>> Well, I've been trapped behind a desk for awhile and am now going back
>> on the road.
>>
>> I'm planning to take my laptop running Ubuntu 11.10.
>>
>> I've been reading and reading about the available options for encrypting
>> my system and many of the articles/posts are very instructive.  However,
>> many of them seem very much out of date and even contradicting.
>>
>> My laptop will contain company information, client information and
>> personal information.  It's critical that this data not fall into
>> unscrupulous hands due to loss or theft.
>>
>> I would like to fully encrypt the system to ensure no data can  be
>> salvaged.  Especially, client information.
>>
>> I'd like to use TrueCrypt as I'm some what familiar with it.  However,
>> with the new full disk encryption available for Ubuntu I though  it
>> would be a good idea to ask if anyone has any thoughts on which would be
>> a better option.
>>
>>  From what I've been reading, it appears I'd have to do a fresh install
>> to use either one.
>>
>> Anybody have any thoughts?
> 
> Well, I run my /home partition encrypted with the built-in encryption 
> tool. It runs absolutely fine, and from what I have read, it should be 
> impossible to crack without a supercomputer running for years. It does 
> require a fresh install and formatting - including the swap partition.

Actually that is incorrect. You can easily encrypt your home folder and
swap without doing a fresh install. Simply use ecryptfs-migrate-home and
ecryptfs-setup-swap (the later will require also installing cryptsetup).
I've done this on virtual machines as well as several of my work
systems. See:

<http://blog.dustinkirkland.com/2011/02/long-overdue-introduction-ecryptfs.html>


Note: this is relatively simple, but I *highly* recommend trying it a
few times on a virtual machine or a test machine before using it on your
actual working /home. And of course, backup beforehand. Also, Dustin
fails to mention that you really need to run ecryptfs-migrate-home while
logged in as another user with adminstrative rights. Easyest is to creat
a 'test' user, give it admin rights, log out of your user & log in as
'test'. Then run:

Get the packages:
$ sudo apt-get install ecryptfs cryptsetup
Set up an encrypted swap:
$ ecryptfs-setup-swap
Encrypt the /home directory of the regular user:
$ sudo ecryptfs-migrate-home -u <user>

Do *not* logout, but instead use switch user to your your <user>. Log in
and ensure that the you can read/write to the encrypted home. If so run
ecryptfs to generate a restore passphrase:

$ sudo ecryptfs-unwrap-passphrase

Save the output to a device other than the encrypted device (usb, paper,
other drive etc).

*don't delete anything yet ala the 'and you should remove
/home/<user>.<randomLetterNumbers> - only delete that folder after you
are positive that all is working following a few reboots.

If you cannot login as <user> and read/write, switch back to 'test' and
rename the /home/<user> & then rename /home/<user>.<randomLetterNumbers>
to /home/<user>. Now try switching to/logging in to <user> to make sure
the uncrypted data has been restored.

Also see:
http://ecryptfs.sourceforge.net/ecryptfs-faq.html

> 
> I don't know if it's mandatory to partition your disk, but it certainly 
> will not harm. Why encrypt the whole disk? - If you keep everything 
> within your /home it seems like overkill to me...

Encrypting the entire disk/partition has the advantage of keeping
information that can/could be accessable containing user passwords &
other sensitive information (/var /tmp /etc /swap). You may keep your
primary data in /home/user/, however several programs keep your
passwords for those programs in a / directory. Generally the password is
"root" owned and therefore "protected" as you'd need to know the
root/user password to access/view. However, that is pretty much
non-secure if you have physical access to the machine.

> 
> Speaking of overkill: you could furthermore secure your *really* 
> sensible date - like passwords - in an extra encrypted directory. For 
> example with ccrypt. Just compress it with tar.gz end then run ccencrypt 
> on it. It uses the Rijndael cipher, which is the U.S. government's 
> chosen candidate for the Advanced Encryption Standard (AES).
> 
> Regards
> Kaj Haulrich.

Best advice (IMO) is to encrypt the entire partition/drive if possible,
encrypt at least /home/<user> & swap if not. And then take Karl's
advise: "The best precaution is not to take the data with you at all"...
or at least only take what is necessary & then do that on an encrypted
usb stick or similar.

More information about the ubuntu-users mailing list