After months of reviewing different filesystem encryption
implementations for GNU/Linux I settled for two possible
candidates. Those
were: dm-crypt
and eCryptfs. The first
provides a block device encryption layer
while eCryptfs is an actual filesystem - a stacked
cryptographic filesystem to be exact. After another month of
weighing options I decided to use eCryptfs for protecting my
laptop.
Being a stacked FS, eCryptfs mounts on top of an existing
filesystem so it doesn't require a pre-allocated block device. You can
mount it on top of any single directory to protect it. Drawbacks are
that you can't use it to protect you swap partition nor does it
provide plausible deniability - it's obvious that encrypted data
exists. Here is
a nice
table comparing these two implementations. Besides speed and
simplicity eCryptfs is a really clever implementation and it's just
what I need right now.
I used eCryptfs to encrypt my entire $HOME, which is still
kind of a un-documented area. So I decided to write
an
article describing my setup which explains how to use eCryptfs for
$HOME encryption and dm-crypt for protecting swap
space (without breaking hibernation). Next Ubuntu
release will have $HOME encryption with eCryptfs integrated
so it will be interesting to see how they implemented it. By the way,
right now I am more concerned about privacy issues then
security - that's why I didn't encrypt my entire drive, yet. Even if I
did all I could with current solutions I still
wouldn't be at the level of security I really want:
With strong crypto I still want a few other things, most important one
being plausible deniability. Either to have completely hidden
encrypted volumes (Truecrypt hidden volumes can be detected)
or to have different keys unlocking different data. The secret
police should not be able to prove that not everything was
decrypted.