Re: [ubuntu-uk] Encrypt whole disk or just home dir?
On Thursday 13 May 2010 01:10:44 John Stevenson wrote: If you have a laptop hard drive that often contains sensitve personal data or is used for any kind of business or holds information that needs to be covered under the data protection act, then it advisable to have the whole system encrypted in case it falls into the wrong hands. Encrypting home dir + swap, and using a /tmp ram disk, is sufficient even for data protection act requirements. Everything written outside those three areas are operating system files only. How to convert existing homes to crypto, plus swap and tmp: http://www.tolaris.com/2009/11/14/securing-laptops-with-ecryptfs-cryptsetup- and-tmpfs/ Tyler -- Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway. -- Andrew S. Tanenbaum -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] Encrypt whole disk or just home dir?
On 13 May 2010 07:24, Tyler J. Wagner ty...@tolaris.com wrote: On Thursday 13 May 2010 01:10:44 John Stevenson wrote: If you have a laptop hard drive that often contains sensitve personal data or is used for any kind of business or holds information that needs to be covered under the data protection act, then it advisable to have the whole system encrypted in case it falls into the wrong hands. Encrypting home dir + swap, and using a /tmp ram disk, is sufficient even for data protection act requirements. Everything written outside those three areas are operating system files only. How to convert existing homes to crypto, plus swap and tmp: http://www.tolaris.com/2009/11/14/securing-laptops-with-ecryptfs-cryptsetup- and-tmpfs/http://www.tolaris.com/2009/11/14/securing-laptops-with-ecryptfs-cryptsetup-%0Aand-tmpfs/ Tyler You would want to consider /var if you have local business applications running on the laptop. -- John Stevenson jr0cket.com leanagilemachine.com -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] Encrypt whole disk or just home dir?
Liam, On 13/05/10 01:14, Liam Proven wrote: Your understanding seems right to me, and TBH, an encrypted /home or just your own folder would be enough for me, personally. Actually I don't do it - I'm not that paranoid - but yes, I expect it'd be faster. It's a work PC and our policy is to encrypt laptops that hold or could hold sensitive information. So I need to encrypt, I'm just wondering if encrypting my home dir is sufficient. I'm beginning to think not. To get there from here means a complete backup reinstall, though, I think... Yes, I'm prepared for that! Regards, Tony. -- Tony Arnold,Tel: +44 (0) 161 275 6093 Head of IT Security,Fax: +44 (0) 870 136 1004 University of Manchester, Mob: +44 (0) 773 330 0039 Manchester M13 9PL. Email: tony.arn...@manchester.ac.uk -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] Encrypt whole disk or just home dir?
Tyler, On 13/05/10 07:24, Tyler J. Wagner wrote: Encrypting home dir + swap, and using a /tmp ram disk, is sufficient even for data protection act requirements. Everything written outside those three areas are operating system files only. How to convert existing homes to crypto, plus swap and tmp: http://www.tolaris.com/2009/11/14/securing-laptops-with-ecryptfs-cryptsetup- and-tmpfs/ Thanks. I had thought about swap but not considered /tmp! Regards, Tony. -- Tony Arnold,Tel: +44 (0) 161 275 6093 Head of IT Security,Fax: +44 (0) 870 136 1004 University of Manchester, Mob: +44 (0) 773 330 0039 Manchester M13 9PL. Email: tony.arn...@manchester.ac.uk -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] Encrypt whole disk or just home dir?
John, On 13/05/10 09:54, John Stevenson wrote: You would want to consider /var if you have local business applications running on the laptop. Not a problem for me. Our business apps are all on Windows, which I run in VirtualBox, the disks for which would be in my home directory. Regards, Tony. -- Tony Arnold,Tel: +44 (0) 161 275 6093 Head of IT Security,Fax: +44 (0) 870 136 1004 University of Manchester, Mob: +44 (0) 773 330 0039 Manchester M13 9PL. Email: tony.arn...@manchester.ac.uk -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
[ubuntu-uk] Encrypt whole disk or just home dir?
I'm seeking advice and wisdom! My laptop is currently fully encrypted. It has a partition that contains a crypt that contains some logical volumes that contain all file systems except /boot It occurs to me I might be better off just encrypting my home directory. I think this might improve performance as the system would not have to decrypt the operating system files. Not sure how big an impact this would have. Presumably I would no longer get prompted for a pass phrase every time I switch the machine on. Very secure, but annoying! Am I right in thinking that the home dir encryption effectively uses my password to protect it, or would I have to enter my password and an encryption pass phrase every time I log on? Any thoughts? Regards, Tony. -- Tony Arnold,Tel: +44 (0) 161 275 6093 Head of IT Security,Fax: +44 (0) 870 136 1004 University of Manchester, Mob: +44 (0) 773 330 0039 Manchester M13 9PL. Email: tony.arn...@manchester.ac.uk -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] Encrypt whole disk or just home dir?
On 12 May 2010 23:11, Tony Arnold tony.arn...@manchester.ac.uk wrote: I'm seeking advice and wisdom! My laptop is currently fully encrypted. It has a partition that contains a crypt that contains some logical volumes that contain all file systems except /boot It occurs to me I might be better off just encrypting my home directory. I think this might improve performance as the system would not have to decrypt the operating system files. Not sure how big an impact this would have. Presumably I would no longer get prompted for a pass phrase every time I switch the machine on. Very secure, but annoying! Am I right in thinking that the home dir encryption effectively uses my password to protect it, or would I have to enter my password and an encryption pass phrase every time I log on? Any thoughts? Regards, Tony. -- Tony Arnold,Tel: +44 (0) 161 275 6093 Head of IT Security,Fax: +44 (0) 870 136 1004 University of Manchester, Mob: +44 (0) 773 330 0039 Manchester M13 9PL. Email: tony.arn...@manchester.ac.uk If you have a laptop hard drive that often contains sensitve personal data or is used for any kind of business or holds information that needs to be covered under the data protection act, then it advisable to have the whole system encrypted in case it falls into the wrong hands. Other than that I would just use home dir encryption. I am using home dir encryption for the first time on my new lucid install. Your home dir is decripted when you login to X windows - i.e the normal desktop gdm login. Note that you cant use automatic gdm login, there is a warning in the lucid installer against this. Using just the encrypted home dir has worked fine for me and I have not had any access or performance problems. -- John Stevenson jr0cket.com leanagilemachine.com -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/
Re: [ubuntu-uk] Encrypt whole disk or just home dir?
On Wed, May 12, 2010 at 11:11 PM, Tony Arnold tony.arn...@manchester.ac.uk wrote: I'm seeking advice and wisdom! My laptop is currently fully encrypted. It has a partition that contains a crypt that contains some logical volumes that contain all file systems except /boot It occurs to me I might be better off just encrypting my home directory. I think this might improve performance as the system would not have to decrypt the operating system files. Not sure how big an impact this would have. Presumably I would no longer get prompted for a pass phrase every time I switch the machine on. Very secure, but annoying! Am I right in thinking that the home dir encryption effectively uses my password to protect it, or would I have to enter my password and an encryption pass phrase every time I log on? Any thoughts? Your understanding seems right to me, and TBH, an encrypted /home or just your own folder would be enough for me, personally. Actually I don't do it - I'm not that paranoid - but yes, I expect it'd be faster. To get there from here means a complete backup reinstall, though, I think... -- Liam Proven • Profile: http://www.linkedin.com/in/liamproven Email: lpro...@cix.co.uk • GMail/GoogleTalk/Orkut: lpro...@gmail.com Tel: +44 20-8685-0498 • Cell: +44 7939-087884 • Fax: + 44 870-9151419 AOL/AIM/iChat/Yahoo/Skype: liamproven • LiveJournal/Twitter: lproven MSN: lpro...@hotmail.com • ICQ: 73187508 -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.ubuntu.com/UKTeam/