Arnt Gulbrandsen
About meAbout this blog
2012-06-12

Full-disk encryption: Luks and ecryptfs

A brief aside, almost a rant: Ubuntu offers a way to encrypt home directories, ecryptfs. There is also a way to encrypt everything, luks.

Luks is the better alternative.

With ecryptfs, there is only one password: If you can watch my hands when I open my laptop's lid and get some idea of what I'm typing, you can steal the laptop and use brute force to try a hundred thousand similar passwords. Luks uses a separate encryption passphrase which is only entered at boot time. (My lockscreen password is easy to type quickly, my encryption passphrase is long.)

Luks encrypts the entire disk, including all temporary files, excluding only the boot partition. Absolutely everything a regular user can possibly store is encrypted.

Ecryptfs has one advantage over luks: It supports having multiple users that do not really trust each other on the same host.