107
  • Does encrypting my home folder make my computer more secure?
  • Do I have to enter my password more if my home folder is encrypted?
  • What else should I know about encrypting my home folder?
seb
  • 2,341
David Siegel
  • 8,932

5 Answers5

95

Simply

  1. Encrypting your home folder doesn't actually make your computer more secure - it simply makes all the files and folders in your home folder more secure from unauthorized viewing.
    • Your computer is still "vulnerable" in a security standpoint - but it becomes very difficult for your content to be stolen (unless the attacker has your password).
  2. You won't need to actually enter your password any more than you normally do - when you log in to your computer your files are seamlessly decrypted for just your session.
  3. There is a possibility (depending on your computers hardware) that this will affect the performance on your machine. If you're worried about performance more than security (and you're on an older machine) you may wish to disable this feature.

Technically

Ubuntu uses "eCryptfs" which stores all the data in a directory (this case the home folders) as encrypted data. When a user is logged in that encrypted folder is mounted with second decryption mount (this is a temporary mount that works similar to tmpfs - it's created and run in RAM so the files are never stored in a decrypted state on the HD). The idea is - if your hard drive is stolen and the contents read those items aren't able to be read since Linux needs to be running with your authentication to create the successful mount and decryption ( The keys are SHA-512 encrypted data based of several user aspects - the keys are then stored in your encrypted key ring ). The end result is technically secure data (as long as your password isn't cracked or leaked).

You will not have to enter your password any more than usual. There is a slight increase of Disk I/O and CPU which (depending on your computer specs) may hinder performance - though it's quite seamless on most modern PCs

Marco Ceppi
  • 48,101
  • 5
    Marco, thank you for your answer, you seem to have an excellent grasp of home folder encryption. Just for the benefit of less technical users, can you spare me all the technical detail and answer the question as if I were asking as a computer-illiterate user? – David Siegel Jul 28 '10 at 20:00
  • 2
    I amended my answer to reflect a simpler viewpoint – Marco Ceppi Jul 28 '10 at 20:14
  • 1
    Thank you! (There are some formatting quirks, though) – David Siegel Jul 28 '10 at 20:20
  • The second bullet is a sub-bullet of the first point I'll make that more obvious.

    There that should make more sense.

     – Marco Ceppi Jul 28 '10 at 20:23
  • I guess I would say “it doesn't make your computer more secure, but it does make your data more secure”.

    There are also some eCryptfs bugs you might hit, depending on your usage. Specifically, you will be unable to create files with extremely long filenames. You'll likely only hit this if a tool you use feels like creating files in a deep directory hierarchy with tremendously long (hundreds of characters) names.

     – RAOF Jul 29 '10 at 01:50
  • 11
    Also note that if you dual-boot, it makes accessing your Linux partition from your secondary OS much more difficult. In Windows, I had installed a simple driver to read my EXT3 partition, but now I'm locked out. Oy! – Jono Jul 29 '10 at 05:15
  • what happens if someone with your computer just does passwd yourusername, and then logs in as you? – plod Jul 29 '10 at 09:50
  • 2
    plod: That's where the security stops. If someone has your password then it's game over. – Marco Ceppi Jul 29 '10 at 14:37
  • Jono: But your data is secure! I'm not sure of a way to cleanly and properly setup eCryptfs for windows and use the existing decryption keys in your keyring – Marco Ceppi Jul 29 '10 at 14:38
  • Might be a good idea to mention that it blocks hibernation - well the hibernation itself will work but not resume because the swap is encrypted too. More details at bugs.launchpad.net/bugs/432785 – papukaija Feb 20 '11 at 22:53
  • @papukaija ecryptfs for the home directory does not block hibernation. Encrypting swap does. – Jan Oct 27 '11 at 20:24
  • It might make sense to add that it's harder to recover your files if you've encrypted them and you forget or lose the password and passphrase. – N.N. Oct 27 '11 at 20:40
  • I'm wondering if some answers can comment more on this: "Your computer is still "vulnerable" in a security standpoint - but it becomes very difficult for your content to be stolen (unless the attacker has your password)." I also see this echoed in two of the answers below. So why do people say that your computer is still "vulnerable"? – Jay Jan 09 '12 at 05:23
  • @Jay I'm guessing they mean your computer can still be compromised, as in stolen and with another account the computer can still be used. It's just a way to prevent others from accessing your data, not to make your computer exclusively work for you. – Jochem Kuijpers Sep 02 '14 at 12:10
15

There's a nice article on the topic written by the Ubuntu developer himself, please see: http://www.linux-mag.com/id/7568/1/

Summary:

  • A combination of LUKS and dm-crypt are used for whole-disk encryption in Linux. Ubuntu uses the Enterprise Cryptographic File System (ECryptfs) from version >= 9.10 to enable home drive encryption on login.

  • An upper and lower directory are created, where the upper directory is stored unencrypted in RAM, granting access to the system and current user. The lower directory is passed atomic, encrypted units of data and stored in physical memory.

  • File and directory names use a single, mount-wide fnek (file name encryption key). The header of each encrypted file contains an fek (file encryption key), wrapped with a separate, mount-wide fekek (file encryption key, encryption key). The Linux kernel keyring manages keys and provides encryption via its common ciphers.

  • Using an eCryptfs PAM (Pluggable Authentication Module) does not break unattended reboots, unlike typical full-disk encryption solutions.

  • The eCryptfs layered filesystem enables per-file, incremental, encrypted backups.

Community
  • 1
al-maisan
  • 321
  • 3
    Can you turn your link-only answer into a more useful one, by summarising main points raised in that article? – arekolek Aug 09 '16 at 22:11
9

Less technically answer as requested by OP.

Security benefits of encrypted Home via ecryptfs as in Ubuntu:

  • Will not require any additional passwords or keys to be remembered or entered.
  • Does not make your computer more secure on a network, e.g. on the internet.
  • If the computer is shared between several users, provides an additional barrier against other users accessing your files. (Difficult technical discussion.)
  • If an attacker gains physical access to your computer, e.g. steals your notebook, this will protect your data from being read by the thief. (If the computer is off they cannot read your data without your password. If the computer is switched on and you are logged in, it's possible for a thief to steal your data, but requires a more advanced attack, is therefore less likely.)
Jan
  • 3,598
6

What else you should know about encrypting your home folder is that the data in it is not accessible when you are not logged in. If you have some automated or external process (like a crontab) that tries to access this data, it will work great while you are watching it, but fail when you are not watching it. This is very frustrating to debug.

Neil Vandermeiden
  • 61
2

The security of your actual system isn't determined by the security of your files, folders, and documents...all it does is makes them slightly more secure from prying eyes....

zkriesse
  • 1,425