encrypted filesystem or files, which is best?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I want to secure my data beyond firewalling. What are the advantages or
disadvantages to creating entire encrypted disk file systems/partitions,
compared to just encrypting individual data files?  Realistically I only
need to encrypt my GnuCash folder (banking info), my spreadsheet files
(student gradebooks--I am a teacher), and perhaps a file containing my
accounts and passwords (which does not yet exist, perhaps should not--
right now I keep that info on 3x5 cards in a box in my home so hackers can
not get it off my hard drive.

The thought of encrypting an entire partition or file system worries me a
little, perhaps because it seems like a black box to me and I worry I
might lose everything doing that if it goes wrong, etc.

Any info, advice greatly appreciated.
  Ubuntu 6.10, also Mandriva 2006 on a PC

Re: encrypted filesystem or files, which is best?

Quoted text here. Click to load it

In general, filesystem encryption is better, because you achieve full
secrecy, while individual file encryption only provides partial secrecy:
Your directory hierarchy is in clear-text, but more importantly the file
system journal (if any) might disclose a lot of information about a

In all cases, encrypting the whole file-systems (and all other places,
where the data might end up - like swap and /tmp) is always more secure.
The drawback is a small performance impact.  However, my Pentium 1 with
233 MHz was suitable, and on my current Duron with 1.6 GHz, I don't even
notice a difference.  I'm using dm-crypt for my filesystems.

Quoted text here. Click to load it

Filesystem encryption is essentially very easy.  Imagine that you don't
write data onto your hard-drives directly, but instead send it to a
machine (a loop device in case of Cryptoloop or Loop-AES [1], or a
device mapper in case of dm-crypt).  This machine takes the data,
encrypts it and writes it to the disk.  It's like an intermediate layer
between the filesystem driver and the hard-disk.

Setting this up is pretty straightforward, but you have to take it into
account while planning your partitioning scheme (except Loop-AES, where
you can encrypt a clear-text partition).

Quoted text here. Click to load it

Remember that you're going to lose data anyway, if anything goes wrong.
In case of filesystem encryption, you would obviously lose an entire
partition, while with file encryption only the particular file is lost.
However, the only case where this happens (or should happen) is loss of
the key or passphrase, or filesystem damage.

Encryption would necessarily be worthless, if data could be recovered
without the key.



Re: encrypted filesystem or files, which is best?

On Wed, 15 Nov 2006 23:30:16 +0100, Ertugrul Soeylemez inscribed to the
Quoted text here. Click to load it

Can filesystem encryption be done on an existing linux filesystem, or must
it be done intitially when installing? I guess I am asking how would a
person set up filesystem encryption on an existing linux PC, so that /home
in the least became an encrypted filesystem, and even "/" if possible?

Re: encrypted filesystem or files, which is best?

Quoted text here. Click to load it

With Loop-AES this is possible.  For the filesystem of /home, you can do
this more or less easily, but for / this is rather difficult, because
you have to reconfigure a few things.  Have a look at [1], the README of
Loop-AES.  It fully describes how to do both of this.

If you really want to encrypt your root filesystem, then have a closer
look at example 5 in that README.  There it's fully described, how to
build a kernel with an initial RAM-disk, which is necessary for root
filesystem encryption, and/or for /etc encryption, and how to encrypt an
existing partition.  You will need some kind of Live-CD to encrypt your
root or /etc (or both).

However, usually you don't have to encrypt your whole system.  This will
only make your system slower, because binaries take longer to load,
configurations take longer to be read; basically everything, in which
the hard-disk is involved, takes longer.

One more thing:  To be fully secure, you will need to boot from
something, which you carry with you (so nobody can manipulate it), like
a little floppy disk or USB stick, or similar.  Otherwise, someone could
remove your disk and trojan it.  You wouldn't notice.  This is also
described in the README mentioned above.  Don't worry, it's not too
difficult to set up (just follow the instructions), but you will have to
spend some freetime, possibly a few hours.  This is the price to pay for

Encrypting the following should render you cryptographically secure:

  * /etc (important, but a bit problematic)
  * /home
  * /opt (possibly)
  * /var
  * your swap space

Also create a RAM-disk for /tmp, because sometimes sensitive data gets
there.  Use the 'tmpfs' filesystem for it.  The following line in your
/etc/fstab should suffice:

  none  /tmp  tmpfs  defaults,uid=0,gid=0,mode=1777 0 0

If you don't encrypt /var, remember to configure 'locate' (or 'slocate')
properly, because otherwise your filesystem structure could be
revealed.  Remove the default cronjob for it (if any), and replace it by
something like this:

  0 8 * * 7  /usr/bin/updatedb -e

With this configuration, you will give up a bit of comfort (if you use
'locate' regularly), because it won't help you find files in your home
directory anymore.  But you certainly know that comfort is the worst
enemy of security.  =)


[1] http://loop-aes.sourceforge.net/loop-AES.README

Re: encrypted filesystem or files, which is best?

Quoted text here. Click to load it


From what I can make out from your post, disk encryption is NOT for you. If
I have read correctly, you want to keep your information safe from hackers.
With disk encryption, when you have booted the workstation, you have
supplied the password to the encryption routine and the drive or partition
appears unencrypted, ready for use.

The solutions available to you are:

1. Partition encryption. Use 'disk' encryption to encrypt a partition that
is only mounted when you need it.

2. File encryption. Encrypt only those files that you want to secure and
decrypt them when you want to use them.

3. Use removable media and remove it when you no longer need access to it
(this could and should be an encrypted device for added protection)

Disk encryption has it's place. It is intended to protect the disk if it is
stolen or to prevent it being mounted without the password.



Re: encrypted filesystem or files, which is best?

On Sat, 18 Nov 2006 22:37:17 +0000, Bogwitch inscribed to the world:
Quoted text here. Click to load it

I feel I am getting a better handle now on what I need, should do. Sounds
like an external USB drive or flashdrive would work, and I could make it
an external encrypted filesystem/partition-- meaning no monkeying around
with my internal drives. I like that strategy.

Site Timeline