encrypted home directory / wrapped-passphrase

Sat Jul 21 11:50:51 UTC 2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/20/2012 07:52 AM, Basil Chupin wrote:
> On 20/07/12 07:26, scar wrote:
>> hi i used the ecryptfs-migrate-home command to encrypt my home
>> directory, and during that process i am told:
>>
>> ************************************************************************
>> YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
>>    ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
>> THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
>> ************************************************************************
>>
>> so i run that command and get the ~/.ecryptfs/wrapped-passphrase file,
>> which it seems to me should be moved elsewhere, like removable storage,
>> since it sounds like this file is to be used when i forget my password.
>>
>> however, when i move that file, my home directory no longer gets
>> decrypted when i log in and i get all these errors starting with one
>> about .ICEauthority file or something.
>>
>> if i move that wrapped-passphrase file back to ~/.ecryptfs then things
>> get decrypted when i log in.  so it seems like that file is necessary
>> but its also stored in an unencrypted location for whomever steals my
>> computer to use to decrypt my home directory, defeating the whole point
>> of encryption.  i guess i'm obviously not understanding something here,
>> can someone clarify?  thanks
> 
> You should look carefully into this question of encrypting your home directory.
> 
> Doing such an encryption of your home directory under the belief that you are actually
> making the data stored in /home totally secure is a delusion.
> 
> For example, on one of my computers I have the /home encrypted.
> 
> WOW, I thought. All this data is now safe!
> 
> Well, I have an external HDD which I use for backing up my /home directory. But what I
> found is that anyone can read that backed-up /home directory on the external HDD because
> once you copy it you lose all the encryption UNLESS you have the destination also
> encrypted. I won't explain further but I think I have my point.
> 
> Now for the next part.
> 
> I did an upgrade to my system - it was an upgrade of the kernel actually - after which I
> could not boot into the system. Nothing I tried to do could get me into the system using
> Rescue Disc etc etc because I had an encrypted /home directory and I needed to provide the
> passphrase in order to be able to access /home but nothing in the Rescue Disc asked me for
> such a passphrase - the only thing it was interested in was to be able to mount the /home
> partition, which, of course, was encrypted.
> 
> After fooling around for a few days and agonising about the thought of losing all data
> (some irreplaceable) in the /home directory, I discovered a few simple command line
> entries which completely bypassed the encryption I had on my /home directory and allowed
> me to boot into the system and fix up the mess created by the upgrade to the kernel! So
> much for encryption!
> 
> I then abandoned the whole idea of encrypting the /home directory as a complete waste of
> time and effort.
> 
> You want security and encryption? Then encrypt your whole installation/file system and not
> just your /home directory. But if you go this way it will be at a cost of slowing down the
> operation of your whole system.
> 
> Take some time off and read up about encryption/encrypting your file system - and NOT just
> your /home directory.
> 
> BC
> 

Basil...
Would zipping the "/home" directory and giving it a strong password
accomplish all or at least most of what you want?
Nolan
- -- 
Nolan Cooper Linux User: 190812 Debian/Ubuntu-12.04==*Precise Pangolin*
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQCpebAAoJEHKiXEDuyrm+WxUIAJgu/gyJVJa9rfx8dmlBIvpC
/sXz+dIcEpEa2RzV80clvELUMj0LtY6xetvaHGyUwAGaoUkQzXCsYsRUhEs6wBuQ
/UsSFGLoPvfJNz0zXwT7/40nAbFniy3Uq19GQiNRNr3VhmHs6vG+awtwsQ0kFBv3
IYa49geuDLYcnxDYLVDuJj7GMhgsF8XDFU5FIPE5aYbXgcUE0mMzzNkurp6lbDNw
cCsGgjjT7feHxftmcE1oKVE2t52EOh8pWBWGGLr3MR4bQVEW0xhzOCsBwaeboPsT
/AbqZaOsv8BySc1W9r1zTswp0Ft2f+oWXp2LHL19neiv4V+biiNAzHx0dcAEm/I=
=rb64
-----END PGP SIGNATURE-----