This Week: Encrypt /home campaign updates
23 December 2007
So a couple of weeks ago, I challenged all you warriors, well at least those of you using Linux on your laptops, to encrypt your /home directory by Christmas.
Doing everything up to and before the 25th December is of course the modern way of celebrating Christmas. In older times, it was the other way up, the 25th December was just the first day of Christmas, Epiphany (January 6th) was the big climatic celebration (where people swapped presents, wore crowns and got drunk), so it is still a great time to start protecting your home directory ;)
Some of you are fellow ramblers and have discussed the campaign in your blogs, thanks for that. Here is a quick run through of the posts that I can currenly spot in my RSS Reader. There are probably a few more out there, so if I have I missed your blog, apologies, please let the world know about it by leaving a comment.
- Andrew Perry mentions that you can also set a master password in Firefox to protect your saved passwords, rather than the default which is to let anyone who has access to the browser to view and use the saved passwords.
- Mike rewrites the instructions according to what he did, a great idea. He argues that on Gentoo cryptsetup is the ebuild you want, apparently cryptsetup-luks is old hat as the main cryptsetup ebuild contains LUKS now.
- Menelkir sails into another minor problem, if you use the Ubuntu graphical boot splash then you can't see when it asks for the password, d'oh! His solution is to turn off the splash screen, this is a good idea anyway as you can see what your system is up to more generally.
Another approach for those who want to keep the splashiness would be to change the init scripts so that it doesn't try to mount /home so early, and then make it ask for the password when you are at the login manger. There is a script for this called gcryptmount, and a Gentoo wiki page about how to use it. It shouldn't be too hard to fiddle with a few paths so it works on Ubuntu.
- Albert doesn't appear to be a believer yet. He argues that he never lets his laptop leave his person. However, I would point out that I do not either, but you only have to lose it once.
As regulars readers will know, I had my Gentoo-running Macbook stolen from my digs while I was at work. Even worse, I once heard of a person having their laptop stolen at knife-point by some crackhead.
Perhaps these are extreme examples but it so easy to setup encryption on Linux that I think everyone should do it anyway. I have been using the encrypted /home for a month and I cannot notice any performance impact at all.
After all, compared to Windows or OS X, the Linux desktop does not actually use much in the way of system resources in general. I have about 20 programs open, and about about 40 browser tabs, and it is only using half of my laptop's RAM and the processor runs between 5% and 30%. Even in the unlikely event that I do something extremely intensive that maxes the laptop out, there will be lots of other bottlenecks that will need to be solved before the speed of writing or reading from /home becomes an issue.
- As Justin points out (put on your best Marlon Brando Godfather voice), "Do it or you may regret it later". So don't say we didn't tell you!
Lastly, to all you Warriors out there, have a very Merry Christmas and a Happy New Year!
1 Christer Edwards says...
The approach I have been using since Ubuntu 7.10 came out was the encrypted- everything option at installation. The installer (alternate, not LiveCD) supports full file system encryption at install time & prompts you for the passphrase during the usplash.
Everything but /boot is encrypted. Encrypted /, swap, etc.
Posted at 4:58 p.m. on December 23, 2007
2 Daniel says...
I ended up having to do the same thing Mike came up with above. For whatever reason on a fresh install of Gentoo on my laptop (hard drive was wiped during warranty service) the instructions given for cryptsetup-luks worked for everything but auto-mounting and I needed to use cryptsetup to get it to work. I don't use Ubuntu, but I assume the crypttab configuration is *buntu specific.
Still, I've got my encrypted /home now (encrypting / seems a little overkill as I'm not running any servers on my laptop). Thanks for providing the inspiration to do so!
Posted at 5:19 p.m. on December 23, 2007
3 Zeth says...
@Christer
Yeah the encryption from within the Ubuntu installer is pretty nice. Hopefully, the LiveCD will too.
My suggested approach of encrypting /home was aimed to be an easy first step that people who have already installed systems could take now.
I think in the long run, encrypted filesystems will the default for everyone on Linux, once the graphical tools are updated to make it effortless and in the background.
@Daniel crypttab configuration is *buntu specific.
Quite possibly, I am straddling both the Gentoo and Ubuntu horses at the moment because neither on their own have everything I want right now. My new laptop is currently only Ubuntu because of Bug 173117 (Gentoo won't install from USB) and a lack of time to work around it. Both should be sorted out in a few weeks time I hope.
Posted at 6:54 p.m. on December 23, 2007