Title photo
frugal technology, simple living and guerrilla large-appliance repair
Sun, 16 Sep 2012

Advantage of Ubuntu's per-account /home encryption

I write a lot about encryption. I'm not trying so much to keep the government out of my business but to give myself peace of mind in the event my machine is lost or stolen.

I want to know that it would be way too much trouble for anybody to try to get any data out of the machine so I can confidently carry around a laptop and know that nobody else can get to that data if it leaves my possession.

But there's one problem with the kind of encryption provided by the installers for Debian and Fedora: The global (or individual) passphrase(s).

In a situation where more than one person shares a computer, do you choose a passphrase that anybody/everybody knows, or do you use a "strong" password that only one person can and should know? I tend to go for the latter, but what if somebody else in my family wants to use the computer and it isn't already running? They would need to know the passphrase(s) just to get the filesystems mounted.

Ubuntu does its encryption another way. During the creation of accounts on the system, the admin creating the accounts can choose to encrypt each account individually. Then a passphrase is chosen by the system, but the /home directory can be opened by each user when they enter their login and password to access the system overall.

That way everybody can have encrypted /home but not need to know any overall passwords to use the system. And the global passphrase issue is moot.

The only problem I see with this Ubuntu setup is not having encrypted swap or /tmp. I don't encrypt /tmp on my Debian system right now, though I'm pretty sure that both swap and /tmp are encrypted by default in OpenBSD systems, though curiously there's no easy way to encrypt /home.

Perhaps not so curiously, I'm getting to be OK with unencrypted swap. All of one's data is never in swap, only some, and it's fluid. I'm OK with a little data getting out in the event of a lost or stolen machine; just not all of it. But if swap and /tmp can be encrypted, why not do it?

That's why I still like fully encrypted LVM (or encrypted /home, /tmp and swap, preferably with a global passphrase that you can give to users).

I'm not planning for resistance to government entities who want my data, though that is a concern -- and it's probably better to encrypt any super-sensitive data on its own within the greater filesystem (i.e. an encrypted directory) if that is a concern. I don't care if The Man can get to my music, videos or blog posts that are already on the public Internet.

My main concern still remains any and all personal data that could be used by a laptop thief for purposes of fraud or identity theft.

To sum up:

  • I like the Ubuntu approach to encryption on an individual-account basis. It's realistic and better for systems with multiple users.

  • For a system with a single user, full encryption is easiest and best.

  • In Fedora/RHEL systems, it's easy to encrypt the whole system in LVM, or encrypt as many partitions as one wishes with a single global passphrase.

  • In Debian's installer it's only possible to set a global passphrase if fully encrypted LVM is chosen -- an option for which the installer insists on using the entire disk, making it impossible for mortals to preserve or set up a dual-boot system. And encrypted LVM is extremely hard to modify after the fact. The process is very poorly docmented, in my experience.

  • Encrypting individual partitions is possible in Debian, but individual passphrases must be chosen for each encrypted partition. They can be the same passphrase, but each partition must be unlocked with a typed passphrase, one after the other, during boot. That means a lot of password typing. I'd love for a secret recipe for uniting these individual passphrases under a global passphrase. That would make me happy. The Debian installer should do this.