Laptops can get lost and stolen. Besides the inconvenience and cost of replacing it, there is the potential for your personal data to end up in the hands of an identity thief.

I have not finished everything I need to do so I am taking my new laptop with me over the Christmas holidays. This reminded me that it was about time that I encrypted my /home directory. In this article I will explain how I did it. It took a little trial and error, but the good news it that now I have figured out the theory, the process is surprisingly easy.

Are you using encryption on your laptop? If not, then like me, it is about time you did!

The Plan

• Firstly, in ths post I will explain the theoretical issues, i.e. the benefits and shortcomings of my approach to encryption.
• Secondly, we will setup the encrypted partition at a dummy mount point and check that it works.
• Thirdly, we will copy our files to the encrypted partition, set the encrypted partition to be mounted as /home and then shred the old unencrypted copies of our files.

Remember that improvements will be heartily accepted. In other words, despite the fact that it is the weekend so I haven't shaved today, it will take me quite a while to get the complete Bruce Schneier beard.

Don't rely on Security through Obscurity

Even before encryption, there was a certain amount of pseudo-security in my previously unencrypted setup. If you turn the laptop on, it boots Linux and then asks for a password.

So the thief has to really care enough about my data to get it. Firstly, all the data is stored on a native Linux filesystem that Windows-based cracking tools are unlikely to support. So they have to go and get a Linux-live CD. My subnotebook does not have legacy optical devices so they need an external CD drive too. Lastly, they need enough Linux knowledge to know how to mount my partitions and know the layout of the Linux filesystem, e.g. how to find the Mozilla password file or whatever.

A few years ago, this would have been such an unlikely scenario that one could have argued that it does not warrant any further security. And still today, in all likelihood a thief would just sell it on a soon as possible, statistically, these kind of petty thieves are often trying to feed a drug habit. However, they may sell the laptop on to criminal gangs who launder laptops by installing unauthorised copies of Windows and then selling them on ebay or wherever, these criminals would have no qualms about profiting from your private data.

Add in the fact that over the last year or two, Linux has become the second- most used Desktop operating system, with at least 2-3 Linux users for every Mac user, so it is good to start thinking about locking down our data as familiarity with Linux is becoming exponentially more commonplace.

No place like /home

There are various ways to go. Firstly, there is whole disk encryption. Do the whole lot. At the other end of the scale is making just a filestore for sensitive documents, and manually move documents into there that you want to be secured.

My priority is to protect myself from potential identity theft in the event of having another laptop stolen. So as my first step forward, I have decided to go for an encrypted /home partition. This will help protect my passwords, email and files with little or no discernible effect on performance.

Caveats to this approach

There are a few theoretical shortcomings with this approach. This only works if the thief steals the laptop while turned off. If the laptop is stolen while turned on, then the partition will be mounted, and the encryption itself can be compromised by reading RAM or swap. Even worse, if the swap is not cleared on shutdown, some data may be left there. However, the downside of encrypted swap is that it might break hibernation.

The second shortcoming is that the encryption keys are stored on the same computer as the encrypted data. One way around this would be to put the keys on a USB stick and not have them on the machine itself.

The problem with having the keys on the machine is that (in theory) the thief could take an image of your hard-disk, upload it to a supercomputer and then perform a dictionary based attack, eventually the supercomputer would guess the right password. It is perhaps unlikely that the thief has access to a supercomputer and the required cryptographic skills to pull this off. However, even if he has, then it still may take several weeks or more to break a strong password, by which time I could have changed all my passwords.

Thirdly, encryption is not a magic bullet, for example, this approach does nothing against attack from the network while your computer is on.

In summary, it won't stop the US National Security Agency, but it should foil an identity thief if my laptop is lost or stolen. So even after these caveats, my simple approach is still far superior to doing nothing.

Continue at part two - creating an encrypted partition.