Does ecryptfs-setup-private use real time encryption?
Solution 1:
I'll answer this question, as the author of ecryptfs-setup-private, and one of the maintainers of eCryptfs.
eCryptfs provides very strong cryptographic protection of your data "at rest" -- ie, when your system is powered off or hibernated. However, you should beware that when your system is running, and your home directory is mounted, your data is protected exclusively by DAC (Discretionary Access Controls) -- ie, UNIX filesystem permissions. By default in Ubuntu, if you're using an Encrypted Home Directory, then your $HOME directory has 700 permissions -- so no other users on the system besides you (and root) will be able to see your data while its mounted. Now when your data is mounted, then it is safely locked away in encryption.
As always, you should still have a very strong LOGIN passphrase, however. Your LOGIN passphrase is used to encrypt and decrypt a much longer and strong randomly generated mount passphrase, which is stored in $HOME/.ecryptfs/wrapped-passphrase
. If an attacker has access to $HOME/.ecryptfs/wrapped-passphrase
, then they can try and decrypt that file by guessing your LOGIN passphrase. If they do decrypt that, then they will have access to your long/random MOUNT passphrase and your data is no longer safe. As a stronger measure of security, some paranoid users (such as myself) store their wrapped-passphrase file on secure removable media such as a USB key or an SD-card, and use a symbolic link to link it into place at $HOME/.ecryptfs/wrapped-passphrase
. This should only be attempted by expert users.
Cheers!
Solution 2:
I believe I answered my own question. I ran ecryptfs-setup-private, and I did a hard shut down. When I booted using the live cd, I was able to list the contents of my personal home directory using ls /media//home... and in the ~/Private directory, there was the usual link to access the files, and there was no way to make it work. The files were safe!