Full Disk Encryption + Home folder encryption needed? Wouldn't Full Disk Encryption get the Home folder anyway?
I'm reinstalling Ubuntu, and want to do full disk encryption. After selecting it, I'm given a choice to also encrypt the Home folder.
Since Ubuntu doesn't use a separate partition for the Home folder (afaik), wouldn't full disk encryption already cover the Home folder? Does adding Home folder encryption add more security of some kind?
"It depends".
Whole disk encryption will use LUKS and everything but /boot
will be encrypted, including your data in /home
.
This prevents unauthorized access to the system from a cold boot. Once the system is fully booted, however, everything, including /home
, is decrypted.
Encrypting /home
uses ecryptfs and your home directory will be encrypted when you are not logged in. This prevents root or other uses from accessing your data in /home
. Your data, however, is decrypted as long as you are logged in.
If you're using the guided full disk encryption you're home partition will be part of the encrypted LVM and thus you're right it is already covered by that.
I think it will add hardly any security but complexity if you still encode you're homefolder. (transparent encode within block level encode)
A possible usecase might be that you share the machine with other users (who know the disk-passphrase) and you want your data inaccessible by them.
So I basically just aggree with your guesses :]
I think that option covers the case in which you choose to put the home folder in another drive/partition. Notice how you can set different mount points in different drives/partitions when you choose "Something else" during the "Installation type" step of the installation process:
This is the only picture i could found, it's from an old distribution, but the same still applies to the latest releases