Performance impact of full disk encryption?

[scaine]

Why would you want to unencrypt /home? If anything, that's teh directory that you'd want to encrypt if nothing else because if your like most people, all of your personal information is stored there.

Because he's already LUKS enabled his entire disk anyway (see his previous post).

Sorry, I have no idea how to undo encryption. Possibly search the Ubuntu WIKI?

[Demosthenesaus]

It was easier to just reinstall without /home encryption and just full LUKS encryption. Even on the tiny netbook I can't really tell a difference, but it's just for net surfing and email anyway.

[blueshiftoverwatch]

Because he's already LUKS enabled his entire disk anyway (see his previous post).

Oh, I misread what he was saying.

[Jekshadow]

I have two layers of encryption running (Drive + Home Directory) and I do not notice any slowdown at all.

[blueshiftoverwatch]

Encryption is a huge pain, I've decided to go without it.

I just tried out OpenSUSE and encrypted swap, /home, and the partition where I keep my virtual machine HD images. You can't encrypt / by default (even if /boot is on a separate non-encrypted partition) without going through a huge ordeal. I have to type in a long passcode for each encrypted partition at startup and I can never get the thing exactly right without having to type it in at least 3 times for each partition, and I'm young and have steady hands. I don't know how people do it. For that matter, I don't know how people of my parent's generation ever typed their papers on a type writer where you had to manually edit typos with whiteout either.

When I factor that into the equation. I guess I don't really need disk encryption.

[BkkBonanza]

I think the ecryptfs encrypted home is pretty sweet. You can use a usb key if you really want to have 2-factor authentication (I currently don't need that) and you only have your normal login password to mount it when booting. No hassle at all and you at least know that when your notebook gets stolen the data isn't going to be explored. That's really what most people need without getting too paranoid.

On current computers I'd just get rid of the swap before I'd bother encrypting it. I watch it's use with conky and it rarely ever gets touched. You can get all crazy about possible vulnerabilities but then you may just end up not doing anything because the hassle factor is too high.

If you seriously have the need for 100% confidentially then you just have to live with the extra work involved. I don't have anything on my machine I'd go to jail for. The chances of someone going to extremes to gain my data are remote, and the consequences minimal. All security decisions need to factor in the time element, risk and degree of consequences involved before deciding how far to take it.

Regarding performance - according to Dustin Kirkland, who was involved with the ecryptfs development on Ubuntu, the slowdown measured about 1%. Not something I'd worry about at all. You can gain that back and more by using ext4. He has a tutorial on his blog for converting your home to an encrypted home that only takes a few minutes to do.

IMHO this is an easy solution that gets you 99% of the way there. It may not handle every possible attack vector but it handles the most likely ones.


PS. I combine this with periodic use of sfill and srm (secure delete package) to clean things up now and then. If I want to delete something that may be important I secure delete it (have it integrated into Nautilus). And every few weeks I wipe the free space with sfill.

[blueshiftoverwatch]

I think the ecryptfs encrypted home is pretty sweet.

Is this the same as the ability to encrypt /home during Ubuntu's installation?

periodic use of sfill and srm (secure delete package) to clean things up now and then. If I want to delete something that may be important I secure delete it (have it integrated into Nautilus). And every few weeks I wipe the free space with sfill.

I've used those tools before, very neat stuff.

[BkkBonanza]

Yes. In the recent version installs this option is implemented using ecryptfs.

[blueshiftoverwatch]

Yes. In the recent version installs this option is implemented using ecryptfs.

The only bad thing is that the encryption password is the same as your user password. So if you want a password that is actually secure and not easily cracked you'd have to make it much longer. But you'd also have to enter in that long password every time you wanted to do an administrative task involving sudo.

[Jekshadow]

The only bad thing is that the encryption password is the same as your user password. So if you want a password that is actually secure and not easily cracked you'd have to make it much longer. But you'd also have to enter in that long password every time you wanted to do an administrative task involving sudo.

Not fully true, your login password is used to encrypt another randomly generated password that is used to decrypt your home directory. Also, about the long password, you get used to it over time, and you begin to type it faster. I have a login password that's over 30 characters and composed of random characters for my normal password, and I can type it in in under five seconds.