ecryptfs - weakish/cheat GitHub Wiki
During the setting up user stage of installing Ubuntu, you get an option of encrypted your home directory with your login password. If you select that option, your home directory will be encrypetd with ecryptfs with a passphrase file encrypted by your login password. And your home directory will get decrypted automatically when you login.
The Ubuntu installer will also encrypt the swap partition with a random password.
After installation, you can put /tmp on tmpfs for more security:
tmpfs /tmp tmpfs mode=1777,nosuid,nodev 0 0
And you should run the following command to get the ecryptfs passphrase:
ecryptfs-unwrap-passphrase /home/.ecryptfs/username/.ecryptfs/wrapped-passphrase
You may also put /var/tmp on tmpfs.
mlocate stores an index of all file names in /var/lib/mlocate/mlocate.db,
so you need to disable indexing /home at /etc/updatedb.conf.
Why not full-disk encryption?
- Full speed and performance of non encrypted data for os and applications.
- Full-disk encryption does not protect you against boot sector attacks. The boot sector must remain unencrypted. If you store it on the disk, then anyone who gains physical access to your computer can attack it, just as anyone who gains physical access to your computer can attack your os when your are using ecryptfs based encryption. So full-dick encryption does not provide additional security under this condition. If you store boot sector on a thumb drive, you need to always take it with you or at least put it in a different place of your machine.
- Full-disk encryption does not protect you against cold boot attack either.
Performance
Performance suffers in eCryptfs as a result of the stacked nature of the filesystem. Imagine a system running eCryptfs over ext4 now; if a process wants to read a page from an encrypted file, eCryptfs must first instruct ext4 to read that page into the page cache. It then decrypts the data — into another page-cache page. The extra copies of the data can consume a lot of memory and slow things down unnecessarily.
Putting encryption support directly into ext4 can eliminate much of that waste.
Patches of ext4 crypto have already checked in Android AOSP branch and linux-next. We need to wait it into mainline kernel.