Laptop encryption — the ideal and the real
I was listening to the Ubuntu UK podcast yesterday, and they were talking about how to do encryption, either full or partial, to protect the data on your computer from being stolen and used against you should the machine itself be lost or stolen.
While this does happen with desktops (there was a huge desktop theft at an office building here a number of months back, with lots of customer data now in jeopardy), I'm mostly talking about laptops, which we're in the habit of carrying everywhere. And whether out in the wild or at home, a laptop is still more attractive to your average thief because of its portability, value and easier salability.
First there are backups. You absolutely need backups of everything. Aside from loss and theft, there's hardware failure, software failure and the dreaded "operator error." You need backups. My main laptop didn't boot the other day, and while I had a backup, it was a week or so old. Once I calmed down, waited a few minutes and tried again, it did boot. I made new backups right away.
So if you lose that data, there should be a copy (preferably two).
But what about others seeing that data? You could have tons of e-mail, both personal and professional — and with who knows what in there. Then there are all of those browser cookies that help you log in to your various online accounts. Those could really sink you if your machine got into the wrong hands.
Creating encrypted folders is one way to deal with sensitive files. It's easy to do in Windows. I'm not sure how to do it in Mac OS X, and there are packages available in many Linux distributions to create encrypted folders and/or documents.
But ... is encrypting my entire folder of Thunderbird e-mail but not the rest of the directory an option? I don't think the Thunderbird app would be able to deal with it.
I still think the way to go is either encrypted partitions (at least /home /tmp and /swap in Linux) or a fully encrypted hard drive. I've written about encryption solutions before (and I should re-run that column here; I will if/when I find it).
And now I've been testing Debian Lenny with full LVM encryption (LVM = logical volume management, a more modern — and less-understandable — way of partitioning hard drives for Linux).
On the Ubuntu UK show, they talked about the performance hit that results from encrypted filesystems. It could be as high as 20 percent but is not as much of a factor in traditional desktop use as compared to situations where there is a lot more disk I/O, such as a server, or during times of disk-intensive activity (huge file transfers, backups, etc.).
And since Debian out of the box tends to run a bit faster than Ubuntu, I haven't really noticed any degradation in performance.
But ... for some reason NetworkManager isn't asking me for the root password and subsequently not making any changes to the network settings when I run it, so I'm not ready to replace Ubuntu 8.04 with Debian Lenny. ...
Thanks to Dustin Kirkland, I know that in Ubuntu 9.04 (Jaunty), it's possible to create an encrypted /home directory with either the live or alternate CDs. What I like about this approach is that the whole installation isn't encrypted. The OS itself doesn't need to be encrypted. Dustin does recommend encrypting /swap, and he provides instructions at the link above.
Fedora does allow use of encryption. It's flexible, and the documentation is great. And Fedora has an install DVD (which my laptops like).
OpenBSD does support encrypted partitions via vnconfig, but setting it up is a bit above my head.
I had planned to transfer all of my data from Ubuntu to Debian, but the non-working NetworkManager kind of stalled that. If I could somehow come to terms with the Intel Xorg issues in Ubuntu 9.04, I could probably save my Synaptic configuration (gotta figure that one out), back up everything and then reinstall with encrypted /home.
Clearest explanations on encrypted /home in Ubuntu: Migrating to an encrypted home directory
and Jaunty encrypted home directories by Dustin Kirkland,
or, better yet, all of his blog posts on this topic.
What about Hardy? How to Forge: Encrypt The System Manually Upon Installation (Ubuntu 8.04) (using the alternate CD).
Performance penalty not so big? Michael Larabel of Phoronix reports that encryption results in only a 1 percent performance hit in most (but not all) cases.
Smart government: The state of Connecticut encrypts its laptops, and the governor is all over it.
P.S. Dustin Kirkland — the same one mentioned above — is a developer with the Ubuntu Server team and was interviewed on the Ubuntu UK Podcast. See his blog.
Final words: Easy-to-configure options for encryption should be offered at install with all operating systems, including Linux-, BSD- Apple- and even Windows-based OSes.
Addendum to final words: Backups should also be easier to create and maintain.
4 Comments
Leave a comment
About this blog
In terms of portable distros, I know that Puppy offers full encryption, pretty useful for linux on a thumbdrive, when I'm not forgettting them to run through the washer, I'm leaving them everywhere.
Ric, I should have mentioned Puppy. I've used encrypted pup_save files for awhile now, and I think that's a great way to go.
The only problem for me is that the maximum size of a pup_save is something like 2 GB. If I didn't have 2 GB just in POP mail, I'd be OK, but I do.
Right now I'm using the laptop as my main PC. If I had another PC for all that data and then just used the laptop as a secondary machine, Puppy with encrypted pup_save would work perfectly.
That's exactly what I'm doing with one of my other laptops -- my now-ancient Compaq Armada 7770dmt. It runs Puppy from live CD better than just about anything else, and that's the main OS I use on it.
RE: "Performance penalty not so big? Michael Larabel of Phoronix reports that encryption results in only a 1 percent performance hit in most (but not all) cases."
Hmmm... with a quad core and only homedir encrypted!
Tony
Continuation of this thread over two years after originally posted...
Turns out than in less than two weeks up here in NorCal, the Bay Area Linux User's Group is having a relevant presentation by Travis H on Encrypted Storage.
Almost in Tony G's backyard!
Event description directly from the latest BALUG.org mainpage:
-- begin quote --
2011-09-20 Travis H on Encrypted Storage
This is a talk covering the three types of encrypted storage technologies (application-level, filesystem, block device) in Linux (and BSD, unless we want to skip those slides). We will start off a little abstract, and end up very practical, with LUKS/dm-crypt and TrueCrypt, and end up with some important discussion about thumb drives and the limits of what we can achieve.
Travis H is the founder of Bay Area Hacker's Association (BAHA), a former member of Austin Hacker's Association (AHA), and has been employed doing security or cryptography for financial institutions, web client software, top 50 web sites, e-commerce hosting companies, and other organizations. He has been part of the largest security monitoring operation in the world, security consulting startups, helped design an intrusion detection system, and has taught code-making and breaking at Stanford. He also has written a book on security which is free online. He is a fan of the Ghost in the Shell franchise, and collects Matrix-inspired fashion accessories.
-- end quote --
My own take on this presentation (or even from a comment here ::hint hint:: ;-} ) is to find the EASIEST WAY POSSIBLE to encrypt-on-the-fly just /home (a.k.a. Tony's "homedir") in Debian Squeeze.
On-the-fly encryption means NOT having to repartition/reformat /home or recompiling from the source-code the add-on encryption!! Doesn't even matter here whether /home is on a harddrive or USB thumbdrive.