On Mon, Jul 01, 2019 at 08:33:35AM -0500, David Wright wrote:
The grey area is for me is the relative benefit of encrypting file by file compared with the whole partition. Assuming that there's just one passphrase involved in each scenario, is more protection given by the former method? After all, once a partition is unlocked, all users on the system are able to read all the files, subject to the normal unix permissions, ACLs, etc.
One fairly attractive feature of the file (or filesystem) level encryption is it can be layered on top of an existing partition/install relatively easily, no need to resort to repartitioning. I think this was one reason that it was a recommended approach in Ubuntu, at least, integrated to some extent with their installer (Although I think no longer). It never reached that level of support in Debian, which offers block-level encryption in the installer instead. Two drawbacks: it does not protect you from accidentally writing sensitive information to a file outside of that area (/tmp, or /var/tmp, or inside an email in exim's spool directory under /var, or in paged-out virtual memory written to an unencrypted swap space, or who knows where else). the implementations are quirky (layered filesystems have always been, and continue to be, awkward, with some semantic corner-cases still misbehaving today with overlay2 and container work loads) -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland ⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net ⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list.
