Recently in Encrypted hard disks Category

Laptop encryption — the ideal and the real

By Steven Rosenberg on July 29, 2009 1:30 PM | Permalink | Comments (2) |

I was listening to the Ubuntu UK podcast yesterday, and they were talking about how to do encryption, either full or partial, to protect the data on your computer from being stolen and used against you should the machine itself be lost or stolen.

While this does happen with desktops (there was a huge desktop theft at an office building here a number of months back, with lots of customer data now in jeopardy), I'm mostly talking about laptops, which we're in the habit of carrying everywhere. And whether out in the wild or at home, a laptop is still more attractive to your average thief because of its portability, value and easier salability.

First there are backups. You absolutely need backups of everything. Aside from loss and theft, there's hardware failure, software failure and the dreaded "operator error." You need backups. My main laptop didn't boot the other day, and while I had a backup, it was a week or so old. Once I calmed down, waited a few minutes and tried again, it did boot. I made new backups right away.

So if you lose that data, there should be a copy (preferably two).

But what about others seeing that data? You could have tons of e-mail, both personal and professional — and with who knows what in there. Then there are all of those browser cookies that help you log in to your various online accounts. Those could really sink you if your machine got into the wrong hands.

Creating encrypted folders is one way to deal with sensitive files. It's easy to do in Windows. I'm not sure how to do it in Mac OS X, and there are packages available in many Linux distributions to create encrypted folders and/or documents.

But ... is encrypting my entire folder of Thunderbird e-mail but not the rest of the directory an option? I don't think the Thunderbird app would be able to deal with it.

I still think the way to go is either encrypted partitions (at least /home /tmp and /swap in Linux) or a fully encrypted hard drive. I've written about encryption solutions before (and I should re-run that column here; I will if/when I find it).

And now I've been testing Debian Lenny with full LVM encryption (LVM = logical volume management, a more modern — and less-understandable — way of partitioning hard drives for Linux).

On the Ubuntu UK show, they talked about the performance hit that results from encrypted filesystems. It could be as high as 20 percent but is not as much of a factor in traditional desktop use as compared to situations where there is a lot more disk I/O, such as a server, or during times of disk-intensive activity (huge file transfers, backups, etc.).

And since Debian out of the box tends to run a bit faster than Ubuntu, I haven't really noticed any degradation in performance.

But ... for some reason NetworkManager isn't asking me for the root password and subsequently not making any changes to the network settings when I run it, so I'm not ready to replace Ubuntu 8.04 with Debian Lenny. ...

Thanks to Dustin Kirkland, I know that in Ubuntu 9.04 (Jaunty), it's possible to create an encrypted /home directory with either the live or alternate CDs. What I like about this approach is that the whole installation isn't encrypted. The OS itself doesn't need to be encrypted. Dustin does recommend encrypting /swap, and he provides instructions at the link above.

Fedora does allow use of encryption. It's flexible, and the documentation is great. And Fedora has an install DVD (which my laptops like).

OpenBSD does support encrypted partitions via vnconfig, but setting it up is a bit above my head.

I had planned to transfer all of my data from Ubuntu to Debian, but the non-working NetworkManager kind of stalled that. If I could somehow come to terms with the Intel Xorg issues in Ubuntu 9.04, I could probably save my Synaptic configuration (gotta figure that one out), back up everything and then reinstall with encrypted /home.

Clearest explanations on encrypted /home in Ubuntu: Migrating to an encrypted home directory
and Jaunty encrypted home directories by Dustin Kirkland,
or, better yet, all of his blog posts on this topic.

What about Hardy? How to Forge: Encrypt The System Manually Upon Installation (Ubuntu 8.04) (using the alternate CD).

Performance penalty not so big? Michael Larabel of Phoronix reports that encryption results in only a 1 percent performance hit in most (but not all) cases.

Smart government: The state of Connecticut encrypts its laptops, and the governor is all over it.

P.S. Dustin Kirkland — the same one mentioned above — is a developer with the Ubuntu Server team and was interviewed on the Ubuntu UK Podcast. See his blog.

Final words: Easy-to-configure options for encryption should be offered at install with all operating systems, including Linux-, BSD- Apple- and even Windows-based OSes.

Addendum to final words: Backups should also be easier to create and maintain.

Nice blog with curious title: I' Been to Ubuntu

By Steven Rosenberg on April 27, 2009 1:41 PM | Permalink | Comments (2) |

While Googling for information on encrypting filesystems for something I'm working on, I came across many a good Ubuntu blog — yep, there's lots out there for the Ubuntu user who wants to figure things out, and that makes the Canonical-sponsored rendition of Linux even more attractive to people whose geek skills are less than complete (and yes, I count myself in that number).

One blog that looked really good, despite an awful name, is I' Been to Ubuntu, which has many, many good articles and appears to be updated quite often. The blog is subtitled, "Videos and articles helping you understand Debian and its derivatives," and I always appreciate a site that gives Debian its due (and I continue to believe that it's not really any harder to run Debian than Ubuntu, and if Debian treats your hardware well, then it's a no-brainer; unfortunately my hardware hasn't been so well-treated in the Lenny era.)

Set up an encrypted Debian system

By Steven Rosenberg on June 21, 2008 5:00 AM | Permalink | Comments (0) |

I've done some experimenting with encrypted filesystems in Debian, which are easy to do with the Debian installer — and which are just as easy to do in Ubuntu if you use the alternate installer.

Like I said, it's easy to do and to manage, unless you want to have a bunch of partitions under a single passphrase. This blog post helps you figure it out.

While full encryption is something you might want to use on a home desktop, although I wouldn't, it's almost mandatory for a laptop. If the thing gets stolen, whoever gets that drive has access to everything on it. And you really don't want that happening, do you?

Right now, neither of my two Linux laptops are encrypted, since I use them for testing and need to see one system's hard-drive partitions from the other, but in the near future, if I decided to single-boot either or both of these, you can bet I'll be encrypting the hard drive.

« Conficker worm | Main Index | Archives | Norton »

New ways to sign in to comment: I just added the ability for prospective commenters on this blog to sign in using their AOL, Yahoo! and Wordpress.com accounts (for the past 200 posts anyway ... more than that will take an extensive, middle-of-the-night rebuild). That's in addition to the other sign-in choices, which include starting a Movable Type account on this blog, Typekey, OpenID, Live Journal and Vox. If you have trouble getting your Movable Type account verified, or any of the other sign-in options are not working properly, please e-mail me. With these added ways of signing in, there's more reason than ever for you to make a comment (or several!).