The Challenge: Encrypt your laptop's /home directory before Christmas
12 December 2007
The reason: people lose laptops
The Eden project lost an unencrypted laptop containing sensitive personal data on all 500 employees; bad but small beer when Posh retailer Marks and Spencer lost an unencrypted laptop containing sensitive data on 26,000 of its staff
A hospital lost the personal details of 11,500 children when an unencrypted laptop disappeared. A bank lost an unencrypted laptop with data about 11 million customers on and was fined for it.
Even the US Department of Homeland Security lost data on 100,000 staff, when an unencrypted external hard-drive went missing. Not to mention that Britain's top spies lose unencrypted laptops with sensitive data on. It goes on and on.
Some of this is down to archaic working practices, using office software when you should be a server-hosted applications, managers should not be wandering around with monster spreadsheets in their laptops, the information should be locked down on a rock-solid server inside a secure data centre.
However, it is also due to the laptops not running encryption at all. If someone steals a laptop with strong encryption, the data is completely unreadable to almost anyone on earth, give or take an American agency or two (probably just one).
Use Encryption, yes especially you Linux users
You can't always guarantee the physical security of mobile computers, indeed I myself had one stolen this year. However, on Linux, there is no need to leave yourself open to identity or data theft. Indeed if you are using Linux and you ended up at this blog post somehow, then you are highly likely to either work in IT or be otherwise highly technically competent. In other words, you have no excuse.
Encryption is easy to set-up, the approach I've outlined here does not require a reinstall, we are just going to swap out your home directory for an encrypted home partition. The simplest possible approach, but a big step forward in security for many of us.
You can follow my approach:
- In the introductory post, we look in general at the approach to encryption that we are undertaking.
- In the second post, we setup an encrypted partition at a dummy mount point.
- In the third post, we copy our files to the encrypted partition, set the encrypted partition to be mounted as /home and then shred the old unencrypted copies of our files.
There are also many other guides out there, including:
- System Encryption DM-Crypt with LUKS - Gentoo Wiki
- A Structured Approach to Hard Disk Encryption (for Gentoo)
- Gentoo - Disk cryptography with dm-crypt
- Encrypted Filesystem Howto - Ubuntu Community Help
- Ubuntu Encrypted Filesystems Installer - straight from the graphical installer!
- Encrypting a full partition with LUKS (On Debian)
- Encrypted Root File System with SUSE HOWTO
- LUKS community documentation
- Encrypted Filesystems - Mandriva Wiki
- Disk encryption in Fedora Past, present and future
- Encrypting your swap then root partitions on Fedora
Spread the Word
Please do help with the campaign to get (at least) /home encrypted on all our Linux laptops by Christmas. Feel free to email this to your friends and user groups, if you have a website or blog then please link here, or even write a better version of your own!
Please also use the Digg entry, StumbleUpon or whatever cool social networking thing that you use.
Lastly, every campaign needs a sticker, so here it is:
Feel free to use it. Also, if it helps, here is some pre-made link code that you can slap on your blog/web site:
- ::
- <a href="http://commandline.org.uk/xmas"> <img src="http://commandline.org.uk/images/christmas.png" alt="Encrypt Home By Christmas" width="300" height="100" /></a>
What are you waiting for? Secure your /home!
1 Albert says...
Hi Zeth - encrypting home is a great idea, also for general unix system administration. Unfortunately the umask environment setting isn't very flexible, so if you have a multi-user environment, you need to keep it at least 027, but then your home files are world readable. By encrypting your home, other users can access the encrypted files, but they are encrypted and undecipherable. I do the same with my wiki software.
Posted at 6:37 p.m. on December 14, 2007
2 Albert L says...
This is a great idea for a technologically ignorant thief, but more sophisticated attacks can by-pass the encryption, accessing the DRAM after the computer is powered down.
http://www.freedom-to-tinker.com/?p=1257
The research team includes J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. The full paper can be found at:
http://citp.princeton.edu/memory/
Their conclusions have been independently verified, as well. For the replies of Microsoft, Apple, and PGP, see
http://www.news.com/8301-13578_3-9876060-38.html
Against techno-savvy thieves, encryption is obviously a limited solution.
Posted at 11:04 a.m. on February 25, 2008
3 Zeth says...
Hi Albert,
Most Linux users walk around with unencrypted personal data on their laptops. This is just security through obscurity, and Linux is far less obscure than it once was.
Any identity thief with a Linux LiveCD or a Linux box can mount the laptop drive and get the data. This is a real attack that can be used by anyone who gains physical position of the drive.
My approach stops this level of technosavvy-ness. But of course, security is a process, a journey not a destination, and one would want many layers of security. Because there is a new more unlikely attack, should not stop one preventing this more likely and more common attack.
I myself shutdown and power-down my laptop when on the move, I do not suspend it. Unless the thief has a handy supply of liquid nitrogen, they have to get my laptop into their lab and boot the new OS within a few minutes of shutdown or the data in the RAM has faded.
Posted at 1:19 p.m. on February 25, 2008