In terms of security knowledge this is a newbie question that I've not managed to search out the answer to anywhere. I'd like to understand the statement here:
http://docs.fedoraproject.org/en-US/...omplished.html that "you now have an encrypted partition for all of your data to safely rest while the computer is off"

After choosing the installation options to encrypt partitions on both Fedora and Ubuntu I've noticed that you always end up with something like half the space designated for the drives actually being usable. Presumably this is because you get half used for the encrypted content and half for the decrypted content when running live:
http://docs.fedoraproject.org/en-US/...ncryption.html
"Full disk encryption solutions like LUKS only protect the data when your computer is off. Once the computer is on and LUKS has decrypted the disk, the files on that disk are available to anyone who would normally have access to them."

My question is, if the system holds decrypted content on the disk while running, does that not mean it leaves significant traces on the disk in a decrypted form when you power off the machine? Does LUKS have some way of securely deleting the decrypted copy beyond merely un-mounting it or whatever when you shut down?

Thanks
Jacek

Full disk encryption doesn't reduce the available space, and information is only decrypted in RAM. If your space isn't being allocated properly, you have another issue.

1 members found this post helpful.

What they're saying is that when the encrypted partition is mounted, access to the data is controlled by whatever means you would normally use (and not by the encryption itself). For example, you can have an encrypted /var/database for your HTTP/SQL server, but if you get exploited online (think Internet) then the encryption isn't standing in the way of the bad guys, your other security measures (ACLs, MAC, etc.) are. The HTTP server normally has access to the database, and now that the bad guys have taken over the HTTP server (think arbitrary code execution), they can do whatever the HTTP server can do.

The link you shared goes on to explain that if you need certain data to be protected by encryption during an online attack (or a local one, what's important here is that the computer is up and running and the encrypted partition is mounted), you'll need to use file-based encryption. This way, the key isn't loaded and the data isn't being encrypted/decrypted on the fly, protecting it even if your other security measures fail. For example, if I leave an AES 256-encrypted gzipped-tarball on the server, say in /usr/local/backup.tar.gz.aes, it doesn't matter how bad the server gets compromised, as the bad guys would still need to get their hands on the key in order to access the data in the clear.

As for the security which partition/disk encryption actually provides: A proper shutdown stops usage of the partition/disk encryption key (and ideally, overwrites it in RAM, so that it can't be retrieved later via cold boot attack, but that's another story), protecting the data even if the computer or its storage device is physically stolen.

1 members found this post helpful.

Yes that's quite clear, on the understanding that decryption only happens in local RAM. You have described the behaviour I expected to see but have not had.

When I saw that increasing the used space on my hard disk eroded the remaining HDD space at something like double the rate used, I figured the entire contents were being decrypted to the hard drive - which would explain the doubling up. So I have a 150GB HDD, with 15GB used and only 120GB remaining for example. When the amount stored reaches 75GB I have no more space. If I've made an attributional error suspecting the decryption, then something else rather strange must be going on! And on two different systems! On Fedora the gui disk utility shows encrypted partitions twice, one with a mount point like /dev/sda6 and the duplicate at /dv/dm-2. Perhaps it is a quirk of the interplay of the various hard disk measuring features and the way on-the-fly decryption tries to create the impression of a decrypted partition. My installs use custom partitions rather than LVM or any defaults. On Ubuntu I don't get the doubling up in the disk utility but reports of available space show the same double rate of depletion.