Do I really need to encrypt home if I have full disk encryption?
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Do I really need to encrypt home if I have full disk encryption?
Hi everyone,
I'm currently a happy user of Mint 18.3 that I installed with full disk encryption (LUKS) and also `home` folder encryption (which also includes the swap partition if I understood it right).
I'm also not worried about losing the files if I can't login for some reason, because I have a daily backup cron that takes care of creating encrypted backups of home to several external locations, so I'm fine there.
I never had any issues with the encrypted home folder. That is, until yesterday. While migrating some middleman*[0]-based blogs from an old computer and server to this Mint 18.3 laptop and a new server, I had to regenerate the blog locally. Happens that one of the entries has a slug that is > 143 chars. I then stumbled upon an error of "filename too long" just to find out a bit later that it's actually an encfs restriction. I could just make the filename smaller, but there might be other slugs that are 143> chars, due to some SEO work that's being done to this blog. The filename limit is actually quite limiting in this context and a bit ridiculous I'd say.
I then started wondering if I really need to keep my `home` directory encrypted if I already have full-disk encryption enabled. I have a couple of questions regarding that:
1) Are there any ways to increase the filename limit for encfs?
2) Are there any benefits to having the `home` encrypted with encfs if full-disk LUKS encryption is also enabled? Does encfs protect me in case the computer is stolen while it's still on and I'm logged in with my user (but screen locked), i.e if physical access to the HD is somehow made while in this state, could the data in the home folder be read?
3) If the answer to #1 is a `no`, then how do I go about disabling encfs for `home` (and `swap`) safely without the need to reinstall the whole system?
Thanks in advance!
I'm currently a happy user of Mint 18.3 that I installed with full disk encryption (LUKS) and also `home` folder encryption (which also includes the swap partition if I understood it right).
I'm also not worried about losing the files if I can't login for some reason, because I have a daily backup cron that takes care of creating encrypted backups of home to several external locations, so I'm fine there.
I never had any issues with the encrypted home folder. That is, until yesterday. While migrating some middleman*[0]-based blogs from an old computer and server to this Mint 18.3 laptop and a new server, I had to regenerate the blog locally. Happens that one of the entries has a slug that is > 143 chars. I then stumbled upon an error of "filename too long" just to find out a bit later that it's actually an encfs restriction. I could just make the filename smaller, but there might be other slugs that are 143> chars, due to some SEO work that's being done to this blog. The filename limit is actually quite limiting in this context and a bit ridiculous I'd say.
I then started wondering if I really need to keep my `home` directory encrypted if I already have full-disk encryption enabled. I have a couple of questions regarding that:
1) Are there any ways to increase the filename limit for encfs?
2) Are there any benefits to having the `home` encrypted with encfs if full-disk LUKS encryption is also enabled? Does encfs protect me in case the computer is stolen while it's still on and I'm logged in with my user (but screen locked), i.e if physical access to the HD is somehow made while in this state, could the data in the home folder be read?
3) If the answer to #1 is a `no`, then how do I go about disabling encfs for `home` (and `swap`) safely without the need to reinstall the whole system?
Thanks in advance!
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 5 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: Do I really need to encrypt home if I have full disk encryption?
if full-disk LUKS encryption is also enabled, & on the same drive,,
then you should Not need to also encrypt the /home partition, as well.
- unless /home is on an different drive, to that which has the LUKS encryption.
then you should Not need to also encrypt the /home partition, as well.
- unless /home is on an different drive, to that which has the LUKS encryption.
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.
Re: Do I really need to encrypt home if I have full disk encryption?
Hi Pierre,
Thanks a lot for the reply.
Thanks a lot for the reply.
That's precisely my case, `home` is on the same 1TB SSD drive that's is also fully-LUKS-encrypted. In that case, how do I go about fully disabling the encfs encryption for home? Do I need to also disable it for the swap partition?if full-disk LUKS encryption is also enabled, & on the same drive,,
then you should Not need to also encrypt the /home partition, as well.
Re: Do I really need to encrypt home if I have full disk encryption?
Good question, and now that I think of it only after reading this thread, I have never tried undoing the home encryption before. I would be learning something new myself if you figure it out and share with us how you do it.how do I go about fully disabling the encfs encryption for home? Do I need to also disable it for the swap partition?
Encrypting the home folder on a drive already encrypted to begin with is adding a second layer of encryption to the first. It secures the data and makes it unimaginable difficult to access; however, there is also the opposite side of the coin and that if you ever lose the password to that data, you may never have it again unless you keep it backed up on something else.
Encryption really shouldn't be taken lightly unless there's something you really truly want to keep private, because once you lose a password, there's almost no hope.
Re: Do I really need to encrypt home if I have full disk encryption?
fwiw
imho--plus reasons already mentioned--this could lead to nightmarish double jeopardy in an unexpected recovery scenario
imho--plus reasons already mentioned--this could lead to nightmarish double jeopardy in an unexpected recovery scenario
Everything in life was difficult before it became easy.
Re: Do I really need to encrypt home if I have full disk encryption?
3/ you most likely, would have to re-install the whole system,
as the encryption in LinuxMint is mainly done at the Installation Time.
as the encryption in LinuxMint is mainly done at the Installation Time.
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.
Re: Do I really need to encrypt home if I have full disk encryption?
My thoughts exactly. I can't think of anything on a hard drive that is worth the risk. Once that password is lost, the chances are, quite literally, one in a billion.
Re: Do I really need to encrypt home if I have full disk encryption?
Not in a single user scenario. In a multi-user scenario it gives protection from other users (including administrators) accessing your files.FullOfCaffeine wrote: ⤴Sun Feb 10, 2019 7:55 pm 2) Are there any benefits to having the `home` encrypted with encfs if full-disk LUKS encryption is also enabled?
From a virtual console, unlock your home folder, copy everything to another location outside of your home folder, then lock your home folder again, delete everything in it including hidden files (or just delete the folder and re-create it), finally copy the data back. If you need more guidance, I'm sure you'll find a guide or two via your favourite search engine.FullOfCaffeine wrote: ⤴Sun Feb 10, 2019 7:55 pm 3) If the answer to #1 is a `no`, then how do I go about disabling encfs for `home` (and `swap`) safely without the need to reinstall the whole system?
Your home folder doesn't contain swap space (as far as I recall LM18.3 would create a separate swap partition).
Re: Do I really need to encrypt home if I have full disk encryption?
Admins can access it while you have it unlocked (i.e. you are logged in), but when you are not they would need either your login password or your encryption passphrase to be able to access it. Note that with access I mean the files contained within the encrypted container. They do, of course, have full access to the encrypted container itself, they just cannot look inside.NevyNeverKnowsBest wrote: ⤴Tue Feb 12, 2019 6:55 amI did not know that, admins can't access it? Can admins not give themselves ownership though?
Re: Do I really need to encrypt home if I have full disk encryption?
This re-enforces what all41 said above; losing the password or passphrase makes the task of retrieving and restoring that data next to impossible. I couldn't imagine using rainbow tables for it. You'd have to crack the first layer of encryption, then repeat the process. It could, in theory, take months to years.gm10 wrote: ⤴Tue Feb 12, 2019 4:53 am Admins can access it while you have it unlocked (i.e. you are logged in), but when you are not they would need either your login password or your encryption passphrase to be able to access it. Note that with access I mean the files contained within the encrypted container. They do, of course, have full access to the encrypted container itself, they just cannot look inside.
Beware, newcomers.
Re: Do I really need to encrypt home if I have full disk encryption?
Well, yes, that's entirely the point of using encryption. Same goes for forgetting your full disk encryption password.
-
- Level 4
- Posts: 443
- Joined: Fri Sep 23, 2016 10:19 am
Re: Do I really need to encrypt home if I have full disk encryption?
Ideally, yes. However in testing (on LM18) it seems once a user logs in, even after logging back out their home is still "unlocked," i.e. available for access from other users (or at least administrators, if you deny read access to others). There was a workaround suggested. viewtopic.php?f=90&t=242236&p=1294440#p1294475gm10 wrote: ⤴Tue Feb 12, 2019 4:53 amNot in a single user scenario. In a multi-user scenario it gives protection from other users (including administrators) accessing your files.FullOfCaffeine wrote: ⤴Sun Feb 10, 2019 7:55 pm 2) Are there any benefits to having the `home` encrypted with encfs if full-disk LUKS encryption is also enabled?
I don't know whether this has been addressed or not in more recent LM 19 or an update to ecryptfs.
Re: Do I really need to encrypt home if I have full disk encryption?
Good thing to point that out, yes. I'm not sure it's correct that that's an ecrypts issue but I don't have one at hand to check. I know that there are a few processes in a default LM install that like to "hang" on logout, namely one of the cusp daemons and the gnome-keyring-daemon.FreedomTruth wrote: ⤴Tue Feb 12, 2019 10:32 am Ideally, yes. However in testing (on LM18) it seems once a user logs in, even after logging back out their home is still "unlocked," i.e. available for access from other users (or at least administrators, if you deny read access to others). There was a workaround suggested. viewtopic.php?f=90&t=242236&p=1294440#p1294475
I don't know whether this has been addressed or not in more recent LM 19 or an update to ecryptfs.
I have a session-cleanup-script in place addressing those. In my opinion that preferable to the general KillUserProcesses=yes in the linked workaround since when something else doesn't want to terminate it's possibly because it's still doing something important that I don't want to kill off no questions asked, so I can well understand why the workaround mentions that it has been met with heavy opposition as a default value. But if log-off encryption security is your tantamount consideration then it's the right thing to do.
Re: Do I really need to encrypt home if I have full disk encryption?
there shouldn't be any Real Reason to encrypt home,, if there is already an full disk encryption ..
and IMHO I'm yet to understand, why some folks see the need for any sort of encryption, at all.
- - that confuse me, somewhat.
maybe, if you have your own business, or complicated financial affairs - then maybe. ..
and IMHO I'm yet to understand, why some folks see the need for any sort of encryption, at all.
- - that confuse me, somewhat.
maybe, if you have your own business, or complicated financial affairs - then maybe. ..
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.
Re: Do I really need to encrypt home if I have full disk encryption?
On computer you leave the house with I think it's quite essential. Otherwise anybody getting their hands on it (typically because it got stolen or was lost) has easy access to your data on the device and potentially all connected online accounts. Goes for smartphones, too, of course.
Re: Do I really need to encrypt home if I have full disk encryption?
yeah - on an Microsoft Windows machine - - that would be understandable,,
- - but if your machine is now running an Linux System - - is that requirement - still there ?
surely, you would now class your Linux machine, as more secure or not ?.
to me, there is still some amount of paranoia, involved in encrypting your machine(s).
- - - which I've found hard to justify.
in my experience of Linux Systems - - they are far secure, than say, my wife's windows based machine.
- - which I've lot's of Fun, in maintaining it.
- - but if your machine is now running an Linux System - - is that requirement - still there ?
surely, you would now class your Linux machine, as more secure or not ?.
to me, there is still some amount of paranoia, involved in encrypting your machine(s).
- - - which I've found hard to justify.
in my experience of Linux Systems - - they are far secure, than say, my wife's windows based machine.
- - which I've lot's of Fun, in maintaining it.
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.
Re: Do I really need to encrypt home if I have full disk encryption?
Why would you say that? A Linux machine has no security mechanism at all in the situation that somebody else gets their hands on it. Encryption is the only option.
Re: Do I really need to encrypt home if I have full disk encryption?
Another scenario that comes to mind when encryption is a great idea is if you install your OS on a flash drive or external/portable hard drive. I have used Linux almost entirely on USB 2.0 flash drives, and while I never encrypted them, I would certainly recommend it if you carry the flash drive with you.