Encrypted filesystems
Nov. 5th, 2016 11:35 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mtbcFor file encryption at home I have always used whole-volume encryption: previously LUKS on Linux, now the softraid crypto on OpenBSD. At work they became very excited about laptop security so, although I am working on opensource projects rather than students' confidential data, I thought that I should at least add some post-installation encryption to my work laptop and the most convenient solution was to use eCryptfs to encrypt my home directory. That way the key isn't stored anywhere on the system and I don't need to type an extra passphrase because, perhaps via PAM, it simply uses the password I already type to log in.
Overall I have found eCryptfs quite workable. My first build of the day takes twice as long but that's okay as once the system has got going performance seems fine. For schroot's fstab I needed to switch the mount of /home from bind to rbind because of how eCryptfs uses a mount to /home/mtbc once I log in. I suppose that for backups at work I could now just back up the encrypted view of my home directory but my backup script instead tars up the plaintext and runs it through gpg on the way to a network drive. I already need gpg at work anyway for tasks like signing releases.
Overall I have found eCryptfs quite workable. My first build of the day takes twice as long but that's okay as once the system has got going performance seems fine. For schroot's fstab I needed to switch the mount of /home from bind to rbind because of how eCryptfs uses a mount to /home/mtbc once I log in. I suppose that for backups at work I could now just back up the encrypted view of my home directory but my backup script instead tars up the plaintext and runs it through gpg on the way to a network drive. I already need gpg at work anyway for tasks like signing releases.
