On 11/08/2012 05:18 AM, Niels ten Oever wrote: > Dear Micah, > > Small correction to your piece: Selecting full disk encryption in the > installer GUI was already possible in Ubuntu 12.04. > > The explanation wasn't as clear as it is now though.
Before 12.10 the Ubuntu GUI installer only let you set up home directory encryption using encryptfs, which is different than full disk encryption. This option is still there in 12.10, and you can choose to use it as well as full disk encryption if you want (I can't see how it could help though). With encryptfs home directory encryption, all of the individual files in your home folder get stored encrypted on the disk, but a lot of data about your files still gets leaked. The directory structure, file size, timestamps, etc. don't get encrypted, only the contents of the files. And it's also only your home directory that gets encrypted, not your whole disk. So for example, if you have any mysql databases on your computer, that data gets stored in /var/lib/mysql and therefore won't get encrypted. When you're not encrypting your whole hard drive, "evil maid" style attacks become much easier. If someone gets physical access to your computer for just a couple minutes, they can boot to a live cd and replace your /usr/bin/ssh or /usr/bin/gpg with malicious versions. The full disk encryption that's offered in 12.10 uses luks and differs in many ways from encryptfs home directory encryption. It creates full encrypted file systems, which means that no meta data about the files on your computer get leaked. The key that's used to unlock the luks partitions are encrypted with a separate passphrase that isn't your user password, and you have to enter this each time you boot your computer, which is more secure since user passwords tend to not be long passphrases. -- Micah Lee https://twitter.com/micahflee
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
