27.03.2009 19:59

Filesystem encryption on Linux

After months of reviewing different filesystem encryption implementations for GNU/Linux I settled for two possible candidates. Those were: dm-crypt and eCryptfs. The first provides a block device encryption layer while eCryptfs is an actual filesystem - a stacked cryptographic filesystem to be exact. After another month of weighing options I decided to use eCryptfs for protecting my laptop.

Being a stacked FS, eCryptfs mounts on top of an existing filesystem so it doesn't require a pre-allocated block device. You can mount it on top of any single directory to protect it. Drawbacks are that you can't use it to protect you swap partition nor does it provide plausible deniability - it's obvious that encrypted data exists. Here is a nice table comparing these two implementations. Besides speed and simplicity eCryptfs is a really clever implementation and it's just what I need right now.

I used eCryptfs to encrypt my entire $HOME, which is still kind of a un-documented area. So I decided to write an article describing my setup which explains how to use eCryptfs for $HOME encryption and dm-crypt for protecting swap space (without breaking hibernation). Next Ubuntu release will have $HOME encryption with eCryptfs integrated so it will be interesting to see how they implemented it. By the way, right now I am more concerned about privacy issues then security - that's why I didn't encrypt my entire drive, yet. Even if I did all I could with current solutions I still wouldn't be at the level of security I really want:

With strong crypto I still want a few other things, most important one being plausible deniability. Either to have completely hidden encrypted volumes (Truecrypt hidden volumes can be detected) or to have different keys unlocking different data. The secret police should not be able to prove that not everything was decrypted.

Written by anrxc | Permalink | Filed under crypto, code