Want an easy to use Linux disk encryption scheme
In the interests of protecting personal info in case a laptop gets stolen, I'm looking for the best way to encrypt a Linux system.
Disadvantages of whole disk encryption including swap:
- Pre-boot password prompt is kind of ugly and unpolished, appearing hidden amongst the boot messages (can something like Splashy handle this?)
- Need to log in twice (if you have a GDM login screen and need multiple users)
Disadvantages of individual folder encryption using libpam-mount or similar:
- Only the user's home folder is encrypted (whereas /etc, /var etc might contain sensitive information too).
- Swap file isn't encrypted, so likely to be leakage of sensitive data in there
- No way to securely hibernate.
I'm using Debian Linux if it matters. Doesn't need to be ridiculously secure, but want peace of mind that a thief cannot steal my identity, bank account details, VPN logins etc. if it is stolen while off/hibernating.
Do you know of ways to solve any of my above problems?
Solution 1:
Your problem is a common one: mainly, the difficult balance between security and usability.
My suggestion is to use a slightly modified version of a mixed approach:
- using cross-platform software like TrueCrypt prepare one or more encrypted volumes for your personal data that you DO NOT use daily (bank details, saved passwords, medical records, etc)
- the reason to use more than one volume is that you might want to back them up on different media, or use different encryption schemes: for example, you might want to share your health records with somebody else and tell them your passphrase (which should be different for the one used for other volumes)
- using a "standard" cross-platform software means you'll be able to recover your data from another OS on-the-fly, if your laptop is stolen/damaged
- whole-disk encryption is often cumbersome and difficult. Although there are attacks for it (see the Evil Maid Attack it turns out to be useful if you're afraid of what could happen if people have access to the whole system. For example, if you're using a company laptop, have no administrative access and there are VPN keys that should not get stolen
- cached passwords for mail/web/apps are another issue: perhaps you might want to encrypt only your home directory? To optimize performance and security/usability you could:
- encrypt all home dir
- softlink to a non-encrypted directory on your filesystem for data you don't care about losing (music, video, etc)
Again, do not forget that everything boils down on the value of what you have to lose, compared to the value of your time and cost of recovery.
Solution 2:
I don't encrypt the whole hard drive, its just too much of admin/management thingie.
So I use dm-encrypt to crate a logical encrypted partition.
I crated a script around it, which I use daily, see if it helps you. I call this under .bashrc
http://bitbucket.org/chinmaya/linux-scripts/src/tip/ch-enc
Solution 3:
You can use pend drive for storing encryption keys. For best security it should be password protected but it doesn't have to.
http://loop-aes.sourceforge.net/loop-AES.README look at example 7.
Solution 4:
I'm still relatively new to Linux, but I thought when you when to install the system there was a way to turn on whole-disk encryption. Also, TrueCrypt has a .deb package.
I hadn't used disk encryption on Linux yet, so perhaps these options have problems like you describe above. As far as the multiuser logon, perhaps TrueCrypt can be setup to use a key file on a USB drive. That way all you need is the laptop and the USB drive to access the files on the laptop.
I'm still learning Linux myself, so I hope this helps.