Encrypted file systems

"Official" abstract, from the BoF web site:

If someone steals your PC, neither the most ingenious root-password nor a clever iptables rule-set will save you: Your data are available for the thief. Unless the data were encrypted...

Luckily, by now, it is really(?) easy for Linux users to make use of encrypted file systems. In this Birds of a Feather, I'll demonstrate how the systems administrator secures the swap partition (using LUKS), and how Joe User secures parts of his home directory (with FUSE-EncFs). The demonstration is based on the Fedora Core distribution, and command line utilities will be used. I suggest that we subsequently discuss:

  • What other data encryption systems are worth considering?
  • May the per-user (FUSE-EncFS) encryption be made more elegant; is there integration with desktop environments (GNOME/KDE)?
  • What are people's long-term experiences?
  • What's the status of LUKS/FUSE/... on other distributions?
  • And how about {Free,Open}BSD?


About me: I work at
XPonCard A/S
Telecom R&D division: Systems administrator, software developer, release manager.


Slides available at http://troels.arvin.dk/sslug/bof2006/

Disclaimers and introductory notes


One (and only one?) objective: Keep data private in case of theft.

(Many people—even in the IT business—seem to believe that data are 100% protected by a good OS login password.)

(Grove also mentioned: nerd value.)

Means: Not so relevant for servers?

How — the live example

Wanted: An encrypted sub-directory of home directory on my laptop.

Will use FUSE+EncFS.

Will talk about other options later.

How — the live example — part II


What about


Swap is easy: Create a new, (LUKS-)encrypted swap area on every boot, with a randomly generated key.

Probably troublesome if used for hibernation, etc. Should probably remove "Suspend" menu and button options.

Relevant commands:
cryptsetup -d /dev/random create swap /dev/hda3 &&\
  mkswap /dev/mapper/swap


The contents of /tmp after a runlevel 1 boot:

  • .ICE-unix

The contents of /tmp after a runlevel 5 boot and an ssh access:

  • .font-unix
  • .gdm_socket
  • .ICE-unix
  • ssh-lApDSO2838
  • .X0-lock
  • .X11-unix

/tmp — part II

Giving /tmp normal (0755) directory permissions:

/tmp — part III

Idea: Use shared memory (tmpfs).
Means: Nothing stays between reboots; probably OK for a workstation.

In fstab:
  tmpfs /tmp tmpfs defaults 0 0

Beware: SELinux. /tmp needs context system_u:object_r:tmp_t


/var/tmp is used for:

My suggestion: Treat it as /tmp, or make it a link or a binding mount to—e.g.—/tmp


Quoting from abstract:

Luckily, by now, it is really easy for Linux users to make use of encrypted file systems.

Hmm. Does anyone know about GUI integration?


Benchmark at Tom's Hardware:



The End

The End.

Ugly, unfinished init-script.