Hi.

I have a few questions on home folder (ecryptfs) and full drive encryption (luks).

1. Can I use a seperate home, root and swap partitions even if I use LUKS encryption?

2. Can LUKS be used without LVM? I tried selecting just LUKS but LVM insisted on being checked also at installation (Ubuntu distro).

3. LUKS is said to be difficult to use but I set it up in VirtualBox and had to just select LUKS + LVM and enter a passphrase - sounds simple enough.

4. If I disable recovery mode in Ubuntu, is .ecryptfs safe from cracking? This is concerning: http://ubuntuforums.org/showthread.p...5#post12445165

Yes, you can, but you have to input a different key for every partition.

As in point 1, LUKS can be used separately from LVM; unless Ubuntu forces you to use them together, you can choose.

Yes, it is simple, save or write down for the future the sequence of the command used to create the system, as you won't use it more often.

I do not know how ecryptfs works, but even without recovery mode, I can boot your pc from a live distro and steal your key. I repeat, I don't know ecryptfs at all, but a crypt program who stores a clear key must not be used.

BTW, main unlock system in LUKS is the passphrase, but you can use a keyfile e.g. stored in a pendrive that you always carry with you (ok, it's too much spy-movie).

Hi gengisdave.

Thanks for your help.

5. If I used LUKS - would auto-login be fine? Since if LUKS is there, then anyone who breaks that should be able to break through any login password?

6. So if someone was to use LUKS, they'd realistically stay with a boot partition and a root partition with no separate home or swap partition?

LUKS is totally "invisible" to system, once I want to mount an encrypted partition/volume, it asks for a passphrase, then it works normally.

To protect your data, you must encrypt your /home directory/partition (or wherever you data are placed). That doesn't prevent to steal/change you login password, as it's held in /etc/passwd - /etc/shadow. Then you must encrypt / partition. That means two (at least) LUKS partitions with two different passphrases. With the swap area we have three different passphrases (it could be the same but you must enter it thrice).

LVM comes in help, you create a volume, crypt it with LUKS and create several partitions inside it. Many partitions, one key.

This link is a guide written by Alien Bob to setup the encryption in Slackware, the logic under the hood is the same for every Linux.

ftp://ftp.slackware.com/pub/slackwar...ADME_CRYPT.TXT

I use it on my laptop, after about 5 seconds after kernel boot, it asks for the passphrase, then it continues booting. No passphrase, no kernel boot nor partitions access. Even if someone take my hdd, there are 100MB of /boot (just kernels) on a top of unreadable data.

So I could choose LUKS + LVM in a fresh HDD and then later (after installation) choose these partitions (root, home, swap) and still just use a single passphrase?

Is LUKS safe from crackers even if they use recovery mode or a live CD/USB? It sounds like .ecryptfs is not much better than no encryption.

Would the security in these scenarios be about the same?
(a) LUKS setup with a login password.
(b) LUKS setup with auto login password. (this would be very handy and secure at the same time)

Yes, every Linux (almost every) can help you in the configuration of luks/lvm, otherwise you have to set it up manually (before partitioning). LUKS provides a block level encryption, like TrueCrypt does, no way to decode data without passphrase.

Once the passphrase is provided, the partitions are "unlocked" and the system works normally. In both of your scenarios, the login is made after you unlocked the drive (automatically or not), so the security is the same.

Sorry gengisdave, I asked a few questions that you had answered in a previous post. You have been very informative. Thanks.

So I've got LUKS installed in a test VirtualBox VM. How would I make seperate partitions whilst keeping the single passphrase to bootup?

I suggest again this guide

ftp://ftp.slackware.com/pub/slackwar...ADME_CRYPT.TXT

jump to "Combining LUKS and LVM" but read all the document for completeness.

Fast mode: create a little partition for /boot; create the big partition; encrypt it with luks; mount and create a lvm inside it; create lvm partitions (at least / and swap); install linux as usual;

I don't know if Mint has an easier way to do this (I've seen it offers to encrypt home folder but I've never tried it) so I fear you have to do this on a terminal.

ADD: depending on the kernel installed, you have to build an initrd, or you'll get a kernel panic

That looks way too tricky. I will stay with the default LUKS/LVM setup. Thanks gengisdave.