de Increasing Linux security by encrypting /home

Howto for setting up an AES-encrypted /home with Linux

The following pages describe how to setup an encrypted /home on a Linux desktop or notebook. This guide uses a more or less vanilla install of RedHat Linux 9, but the main ideas should be usable for other distributions without complicate modifications. The guide will also cover installation and hints for Fedora Core 1, 2 and 3 and also include packages for Fedora Core. For Fedora Core 4 and 5 an advanced method using LUKS is described.

Why this? Does it really increase security? Should I use it?

You have to decide on your own how this guide can help you. The idea was developed for my own purpose and several assumptions have to be make. Since I do not use a desktop pc anymore, but a notebook which I carry most of the time with me, I live in the theoretical danger of having it stolen. Beside from losing the material value this would mean that also all the data is lost. These data should be recoverable from backups of course, but if you have sensitive data the real problem here is, that these data might be in wrong hands now. Personally I work with lots of non public datas, documents and other sensible personal informations which should be kept non public. Furthermore there are keys and password to lots of servers, mailboxes, etc. Of course your PGP/GnuPG private key should be kept secret too.

To work around these problems encrypting the data might be the correct idea. Since most of the valuable data and documents that should be kept secret are stored in the users home directory, encrypting /home could be enough. Depending on other factors, maybe databases or programs aside the home directory, you might be choose to encrypt other directories as well, or find other methods to secure such data. In case of encrypting this should be analog to the home directory, but might get complicated when encrypting the root filesystem (this is possible and is described well).

Encryption alone does not achieve security automatically. You have to take care that your data is encrypted in that moment an unauthorized person tries to access that. Standby mode on a notebook is an issue here. Since you want to continue work quickly when resuming your notebook, unmounting encrypted partitions is not really helpful, all programs using that partitions would have to be shut down before and restarted afterwards. I will use a locking mechanism here which prevents access on resume without knowing a certain password.

Go to the first step: the encryption itself.

MHENSLER.de/cryptohome/index_en.php#20060320-000636$1.7  [36533] © Matthias Hensler 2002-12, All Rights Reserved