Encrypted Lock Screens?

security encryption

I really like the disk encryption to secure my funds, but my problem is I practically never have my computer off. I live a very busy life and shutting it down totally every night is entirely impractical, so at most I typically suspend/lock it. I have my suspicions that this lock screen does very little against an attacker that might have the computer in their hands. Am I right? Is having disk encryption pointless if I never turn off my computer? Is there any software that can enable lock-screen encryption?


Solution 1:

I thought the same thing, which is how I found your question.

But then I realized, programs cannot really keep running if all the data (including their own code) is suddenly encrypted. And data might be in RAM anyway if programs are running.

So the only way to encrypt things is if all programs stop running, which doesn't happen when locking.

Solution 2:

Full disk encryption is a great security measure, but it is seen as a ways of preventing physical access to the machine's data. Before disk encryption, physical access to a HDD was all it took to gain access to data. When you are able to take out the HDD, you can use any other system to look at the data, so you can't think of it as secure just because someone doesn't know your root password.

It is completely possible to have an encrypted system that has suspend-to-disk support. This, in combination of ensuring that your RAM and any swap is kept secure, is an imperfect method to keep you safer in your situation.

Once you've helped to secure against physical threats, you have to then take a look at how the system itself is vulnerable. By connecting your machine to the Internet, you are exposing it to potential problems. If you're serious enough, you should consider using an encrypted, 'cold-storage' system, where you limit the connectivity, or only interact via thumb drive or serial port.

Other options are to add additional layers of encryption to your data, and only keep that data unlocked while it's in use. The point is to take advantage of keeping the data encrypted as long as possible, and only decrypt when needed, and not to suggest excessive use of multiple/cascade encryption. This would mean that any adversary having access to the system would need to take time to decrypt the data. Unless, of course, you leave the data unlocked, or leave they key somewhere accessible. Additionally, there are many ways to hide data in data, and utilize one-time pads, to better secure information.

Even by encrypting and not leaving the keys available for individual datasets, someone with enough time and access could eventually unlock the data. For something such as passwords, this can be mitigated by changing the passwords frequently, and re-encrypting the dataset with a new key at that time. For something that needs to be kept secret over a longer period of time, and you have a physically secure location, a simple solution may be to store encrypted data on a thumb drive that you only connected to the machine when needed, and then place the drive in a safe.

Certificate Authorities who provide proper key storage provide good examples of how to secure data in situations that require a mixture of security and practicality of use.

Related

Transparent window title bar
Pulseaudio card-profile for Focusrite Scarlett 18i8
Upstart not reopening log files on logrotation
Webcam isn't working in Ubuntu 14.04
Since update of Firefox v37 internet access is slow
Hide Title Bar When Maximized in GNOME 3.16
How do you install the VirtIO HDD drivers for KVM on Windows 7?
'top' shows 'echo "find"' processes using 100% CPU time
Fn + F5 / F6 brightness keys not working on Asus R556L
Specifically where do applications get their default font settings?
Unity dash - is there a command line (CLI) interface to perform a search?
DNS works with host, but not with wget