Do I really need to encrypt home if I have full disk encryption?

[FullOfCaffeine]

Hi everyone,

I'm currently a happy user of Mint 18.3 that I installed with full disk encryption (LUKS) and also `home` folder encryption (which also includes the swap partition if I understood it right).

I'm also not worried about losing the files if I can't login for some reason, because I have a daily backup cron that takes care of creating encrypted backups of home to several external locations, so I'm fine there.

I never had any issues with the encrypted home folder. That is, until yesterday. While migrating some middleman*[0]-based blogs from an old computer and server to this Mint 18.3 laptop and a new server, I had to regenerate the blog locally. Happens that one of the entries has a slug that is > 143 chars. I then stumbled upon an error of "filename too long" just to find out a bit later that it's actually an encfs restriction. I could just make the filename smaller, but there might be other slugs that are 143> chars, due to some SEO work that's being done to this blog. The filename limit is actually quite limiting in this context and a bit ridiculous I'd say.

I then started wondering if I really need to keep my `home` directory encrypted if I already have full-disk encryption enabled. I have a couple of questions regarding that:

1) Are there any ways to increase the filename limit for encfs?
2) Are there any benefits to having the `home` encrypted with encfs if full-disk LUKS encryption is also enabled? Does encfs protect me in case the computer is stolen while it's still on and I'm logged in with my user (but screen locked), i.e if physical access to the HD is somehow made while in this state, could the data in the home folder be read?
3) If the answer to #1 is a `no`, then how do I go about disabling encfs for `home` (and `swap`) safely without the need to reinstall the whole system?

Thanks in advance!

[Pierre]

if full-disk LUKS encryption is also enabled, & on the same drive,,
then you should Not need to also encrypt the /home partition, as well.
- unless /home is on an different drive, to that which has the LUKS encryption.

[FullOfCaffeine]

Hi Pierre,

Thanks a lot for the reply.

if full-disk LUKS encryption is also enabled, & on the same drive,,
then you should Not need to also encrypt the /home partition, as well.

That's precisely my case, `home` is on the same 1TB SSD drive that's is also fully-LUKS-encrypted. In that case, how do I go about fully disabling the encfs encryption for home? Do I need to also disable it for the swap partition?

[NevyNeverKnowsBest]

how do I go about fully disabling the encfs encryption for home? Do I need to also disable it for the swap partition?

Good question, and now that I think of it only after reading this thread, I have never tried undoing the home encryption before. I would be learning something new myself if you figure it out and share with us how you do it.

Encrypting the home folder on a drive already encrypted to begin with is adding a second layer of encryption to the first. It secures the data and makes it unimaginable difficult to access; however, there is also the opposite side of the coin and that if you ever lose the password to that data, you may never have it again unless you keep it backed up on something else.

Encryption really shouldn't be taken lightly unless there's something you really truly want to keep private, because once you lose a password, there's almost no hope.

[all41]

fwiw
imho--plus reasons already mentioned--this could lead to nightmarish double jeopardy in an unexpected recovery scenario

[Pierre]

3/ you most likely, would have to re-install the whole system,
as the encryption in LinuxMint is mainly done at the Installation Time.

[NevyNeverKnowsBest]

fwiw
imho--plus reasons already mentioned--this could lead to nightmarish double jeopardy in an unexpected recovery scenario

My thoughts exactly. I can't think of anything on a hard drive that is worth the risk. Once that password is lost, the chances are, quite literally, one in a billion.

[gm10]

2) Are there any benefits to having the `home` encrypted with encfs if full-disk LUKS encryption is also enabled?

Not in a single user scenario. In a multi-user scenario it gives protection from other users (including administrators) accessing your files.

3) If the answer to #1 is a `no`, then how do I go about disabling encfs for `home` (and `swap`) safely without the need to reinstall the whole system?

From a virtual console, unlock your home folder, copy everything to another location outside of your home folder, then lock your home folder again, delete everything in it including hidden files (or just delete the folder and re-create it), finally copy the data back. If you need more guidance, I'm sure you'll find a guide or two via your favourite search engine.

Your home folder doesn't contain swap space (as far as I recall LM18.3 would create a separate swap partition).

[NevyNeverKnowsBest]

Not in a single user scenario. In a multi-user scenario it gives protection from other users (including administrators) accessing your files.

I did not know that, admins can't access it? Can admins not give themselves ownership though?

[gm10]

Not in a single user scenario. In a multi-user scenario it gives protection from other users (including administrators) accessing your files.

I did not know that, admins can't access it? Can admins not give themselves ownership though?

Admins can access it while you have it unlocked (i.e. you are logged in), but when you are not they would need either your login password or your encryption passphrase to be able to access it. Note that with access I mean the files contained within the encrypted container. They do, of course, have full access to the encrypted container itself, they just cannot look inside.

[NevyNeverKnowsBest]

Admins can access it while you have it unlocked (i.e. you are logged in), but when you are not they would need either your login password or your encryption passphrase to be able to access it. Note that with access I mean the files contained within the encrypted container. They do, of course, have full access to the encrypted container itself, they just cannot look inside.

This re-enforces what all41 said above; losing the password or passphrase makes the task of retrieving and restoring that data next to impossible. I couldn't imagine using rainbow tables for it. You'd have to crack the first layer of encryption, then repeat the process. It could, in theory, take months to years.

Beware, newcomers.

[gm10]

Well, yes, that's entirely the point of using encryption. Same goes for forgetting your full disk encryption password.

[FreedomTruth]

2) Are there any benefits to having the `home` encrypted with encfs if full-disk LUKS encryption is also enabled?

Not in a single user scenario. In a multi-user scenario it gives protection from other users (including administrators) accessing your files.

Ideally, yes. However in testing (on LM18) it seems once a user logs in, even after logging back out their home is still "unlocked," i.e. available for access from other users (or at least administrators, if you deny read access to others). There was a workaround suggested. viewtopic.php?f=90&t=242236&p=1294440#p1294475

I don't know whether this has been addressed or not in more recent LM 19 or an update to ecryptfs.

[gm10]

Ideally, yes. However in testing (on LM18) it seems once a user logs in, even after logging back out their home is still "unlocked," i.e. available for access from other users (or at least administrators, if you deny read access to others). There was a workaround suggested. viewtopic.php?f=90&t=242236&p=1294440#p1294475

I don't know whether this has been addressed or not in more recent LM 19 or an update to ecryptfs.

Good thing to point that out, yes. I'm not sure it's correct that that's an ecrypts issue but I don't have one at hand to check. I know that there are a few processes in a default LM install that like to "hang" on logout, namely one of the cusp daemons and the gnome-keyring-daemon.

I have a session-cleanup-script in place addressing those. In my opinion that preferable to the general KillUserProcesses=yes in the linked workaround since when something else doesn't want to terminate it's possibly because it's still doing something important that I don't want to kill off no questions asked, so I can well understand why the workaround mentions that it has been met with heavy opposition as a default value. But if log-off encryption security is your tantamount consideration then it's the right thing to do.

[NevyNeverKnowsBest]

Well, yes, that's entirely the point of using encryption. Same goes for forgetting your full disk encryption password.

True.

[Pierre]

there shouldn't be any Real Reason to encrypt home,, if there is already an full disk encryption ..

and IMHO I'm yet to understand, why some folks see the need for any sort of encryption, at all.
- - that confuse me, somewhat.

maybe, if you have your own business, or complicated financial affairs - then maybe. ..

[gm10]

and IMHO I'm yet to understand, why some folks see the need for any sort of encryption, at all.
- - that confuse me, somewhat.

On computer you leave the house with I think it's quite essential. Otherwise anybody getting their hands on it (typically because it got stolen or was lost) has easy access to your data on the device and potentially all connected online accounts. Goes for smartphones, too, of course.

[Pierre]

yeah - on an Microsoft Windows machine - - that would be understandable,,
- - but if your machine is now running an Linux System - - is that requirement - still there ?
surely, you would now class your Linux machine, as more secure or not ?.

to me, there is still some amount of paranoia, involved in encrypting your machine(s).
- - - which I've found hard to justify.
in my experience of Linux Systems - - they are far secure, than say, my wife's windows based machine.
- - which I've lot's of Fun, in maintaining it.

[gm10]

yeah - on an Microsoft Windows machine - - that would be understandable,,
- - but if your machine is now running an Linux System - - is that requirement - still there ?
surely, you would now class your Linux machine, as more secure or not ?.

Why would you say that? A Linux machine has no security mechanism at all in the situation that somebody else gets their hands on it. Encryption is the only option.

[NevyNeverKnowsBest]

Another scenario that comes to mind when encryption is a great idea is if you install your OS on a flash drive or external/portable hard drive. I have used Linux almost entirely on USB 2.0 flash drives, and while I never encrypted them, I would certainly recommend it if you carry the flash drive with you.