When installing I'm given the option of encrypting my home folder -- what does this do?
Solution 1:
Simply
- Encrypting your home folder doesn't actually make your computer more secure - it simply makes all the files and folders in your home folder more secure from unauthorized viewing.
- Your computer is still "vulnerable" in a security standpoint - but it becomes very difficult for your content to be stolen (unless the attacker has your password).
- You won't need to actually enter your password any more than you normally do - when you log in to your computer your files are seamlessly decrypted for just your session.
- There is a possibility (depending on your computers hardware) that this will affect the performance on your machine. If you're worried about performance more than security (and you're on an older machine) you may wish to disable this feature.
Technically
Ubuntu uses "eCryptfs" which stores all the data in a directory (this case the home folders) as encrypted data. When a user is logged in that encrypted folder is mounted with second decryption mount (this is a temporary mount that works similar to tmpfs - it's created and run in RAM so the files are never stored in a decrypted state on the HD). The idea is - if your hard drive is stolen and the contents read those items aren't able to be read since Linux needs to be running with your authentication to create the successful mount and decryption ( The keys are SHA-512 encrypted data based of several user aspects - the keys are then stored in your encrypted key ring ). The end result is technically secure data (as long as your password isn't cracked or leaked).
You will not have to enter your password any more than usual. There is a slight increase of Disk I/O and CPU which (depending on your computer specs) may hinder performance - though it's quite seamless on most modern PCs
Solution 2:
There's a nice article on the topic written by the Ubuntu developer himself, please see: http://www.linux-mag.com/id/7568/1/
Summary:
-
A combination of LUKS and dm-crypt are used for whole-disk encryption in Linux. Ubuntu uses the Enterprise Cryptographic File System (ECryptfs) from version >= 9.10 to enable home drive encryption on login.
-
An upper and lower directory are created, where the upper directory is stored unencrypted in RAM, granting access to the system and current user. The lower directory is passed atomic, encrypted units of data and stored in physical memory.
-
File and directory names use a single, mount-wide fnek (file name encryption key). The header of each encrypted file contains an fek (file encryption key), wrapped with a separate, mount-wide fekek (file encryption key, encryption key). The Linux kernel keyring manages keys and provides encryption via its common ciphers.
-
Using an eCryptfs PAM (Pluggable Authentication Module) does not break unattended reboots, unlike typical full-disk encryption solutions.
-
The eCryptfs layered filesystem enables per-file, incremental, encrypted backups.
Solution 3:
Less technically answer as requested by OP.
Security benefits of encrypted Home via ecryptfs as in Ubuntu:
- Will not require any additional passwords or keys to be remembered or entered.
- Does not make your computer more secure on a network, e.g. on the internet.
- If the computer is shared between several users, provides an additional barrier against other users accessing your files. (Difficult technical discussion.)
- If an attacker gains physical access to your computer, e.g. steals your notebook, this will protect your data from being read by the thief. (If the computer is off they cannot read your data without your password. If the computer is switched on and you are logged in, it's possible for a thief to steal your data, but requires a more advanced attack, is therefore less likely.)