# To encrypt or not to encrypt?

## FizzyWidget

Who here encrypts their /home and storage drives? is it really worth encrypting a home system or is it only for the paranoid people? are there any performance hits in doing so?

----------

## Veldrin

I did encrypt only home in the past using ecryptfs.

Nowadays I encrypt the entire system (excluding boot), using dmcrypt/luks.

ecryptfs sounds simple at a first glace, but i gets rather troublesome if you have to recover you home data from a 2nd OS (Linux LiveCD et all).

IMO the big advantage of having your disks encrypted, I make is much simpler (and less work involved) to render any data unusable. I am mainly concerned about leftover data once I decommission a harddrive/ssd. Only thing you need to destroy is the partition header, and the data is next to not recoverable. (on an unencrypted device you would need to completely overwrite it at least once, preferably with random data, which is next to impossible on a SSD)

I did my first experiments on pentium-m system, and there IMO the performance hit was noticeable (at least it was visible in gkrellm). Nowadays, on multicore systems (core2duo and upwards) the performance hit is less noticeable, I would even say negligible. 

If you start encrypting data, make sure, that your swap is also encrypted, as some data might be leaked from the ram to swap, where it readable. 

just my .02$

V.

One sidenote: yes, I am aware that some SSD encrypt data themselves, but I just do not only want to trust the hardware manufactures.

----------

## FizzyWidget

would you happen to have a fool proof easy to follow n00b guide you could link me to so i could do this? I have just re-installed my storage box, but if needs be i can 3 pass wipe it and encrypt it, then rebuild it, i have all the conf files saved  :Smile: 

Thanks

----------

## frostschutz

 *Dark Foo wrote:*   

> Who here encrypts their /home and storage drives?

 

I encrypt everything.

 *Dark Foo wrote:*   

> Is it really worth encrypting a home system or is it only for the paranoid people?

 

It's probably useless against police (if they just lock you up until you give the password), but I'm looking for simpler things, such as not wanting computer-savvy members of my family going through my stuff.

 *Dark Foo wrote:*   

> are there any performance hits in doing so?

 

Yes, naturally, although only noticable when there's actually hard disk access going on and if you're actually giving your CPU something to do even without encryption. On a modern machine the encryption is accelerated (AES-NI) that helps a great deal.

You either need encryption or you don't - if you don't need it, don't use it, if you need it, performance doesn't matter.

----------

## frostschutz

 *Dark Foo wrote:*   

> 3 pass wipe

 

Maybe these will help?

http://en.gentoo-wiki.com/wiki/Secure_deletion

http://en.gentoo-wiki.com/wiki/Booting_encrypted_system_from_USB_stick

http://en.gentoo-wiki.com/wiki/Initramfs

----------

## Veldrin

I use that guide: http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS

Good part is, that genkernel (or more precisely the initramfs it builds) is capable of starting a luks encrypted root. 

though there are some issue with newer version of cryptsetup if you want use gpg encrypted keys. 

V.

----------

## FizzyWidget

seems complicated going by that guide, i may have to read it quite a few times first

----------

## Goverp

Whole-disk encryption is good, but remember that processes running inside the system see the file system in clear.  Encryption is no defence against hacking over the network.  You still need firewalls and antivirus and normal security within the system.  Also, important data such as password wallets and financial info still need to be encrypted when the system is running, so that's double-encryption.

Don't forget to take encrypted backups, as otherwise the thief who steals your PC and backups doesn't need the PC.  And if your backups are encrypted, remember to test recovery regularly.  There's nothing so depressing as forgetting the password when your hard drive's toast.

IMHO you could consider leaving /usr, /bin  /opt and /sbin unencrypted, but you need to encrypt /home, /var and /etc.  You might set up another unencrypted file system for large public files that would otherwise be in /home - such as music, photographs and video.  /etc is a nuisance; with it encrypted, AFAIK you need an initramfs to decrypt it before you can boot.

----------

## FizzyWidget

to be honest all i want it to protect my documents and personal pictures, will mainly be me that uses all the pcs, and im guessing your run of the mill burglar isnt going to be savy enough or have the equipment to unencrypt the drives, or even if he knows someone who could and they try using data recovery its all mainly geared towards windows filesystems.

I have an iptables script which blocks everything, and a router that also blocks everything, so i only need to concern myself with places i visit.

Think i need to think on this a bit more  :Smile: 

----------

