On Sun, Sep 11, 2011 at 02:23:37PM +0100, Jon Dowland wrote: > I think it would be wonderful to have such ease-of-use $HOME > encryption in Debian. Ubuntu's scheme uses ecryptfs. Before I begin > looking into how best I might help work towards this, I was wondering > if experienced people could weigh in with advice on whether ecryptfs > is likely to be the most sensible way to achieve the desired result, > or is something else worthy of consideration?
Yes: full-disk encryption is better than homedir encryption. The reason is that the idea that all your data resides in your $HOME is a fallacy. Maybe you've got a database installed, which means you've got significant gobs of data in /var. The actual packages you've got installed on your machine will leak some information, too. Most importantly, temporary files get written to your /tmp, and if that's a mounted partition, anyone who knows how to retrieve removed files (which really isn't all that hard) can get, say, the contents of most files you've been editing over the last few days/weeks/months (depending on free disk space). You might think that the above is overly paranoid, but then why go through the effort of encrypting at all if you're going to leave such glaring holes in the system? And guess what, Debian already supports installing with full-disk encryption. -- The volume of a pizza of thickness a and radius z can be described by the following formula: pi zz a
signature.asc
Description: Digital signature
