I've been using for almost a year my current setup on several computers. Now I've begun to wonder, how safe would it be against theft, in fact.

Scenario: Someone steals my Linux-laptop (power off) which has its hard drive protected with the following encryption setup. This person is not interested enough to spend months on trying to break the encryption, but is still interested in a quick spy of what the disk contains. Can I assume that my files should be relatively safe from such casual and trivial spying attempts?

Setup concerning the encryption:

The GPG keyfile is located on a memory card, which is separated from the laptop, never in the laptop case. Desktop PC's on the other hand, are getting the keyfile from an encrypted NAS-device in the network. The keyfile is never stored on the computers' hard drives. pam_mount mounts the encrypted /home-partition at login. /tmp is located on a tmpfs, thus wiped at every boot. I use a different keyfile for every partition, even when located on the same computer.

Now, obviously this setup cannot offer as wide protection as encrypting the whole hard drive could. But it also doesn't take as much time to implement. System logging is disabled, so /var should not reveal anything special.

What do you think about my setup? What should I improve or change? Should I change from Loop-AES to DM-Crypt, Enc-FS or something else? I don't need military grade protection, just don't want my work documents to leak outside the company.

Extra question: What about the safety of the Mac OS X Tiger FileVault on my MacBook? I find it hard to locate reliable comparisons between different encryption methods, although I've been googling and reading lots and lots of articles.

I think your setup is quite safe, but there are some ways a clever thief could get at some private infornation:

- EDIT: This was incorrect
- Since your /var/log directory is not encrypted, a thief can access all logging files, which might contain names of files, maybe even file contents of "secret" files stored in your /home folder.
- Do you use a good pgp password to encrypt your keyfiles in case they get into the wrong hands?
- Using /dev/urandom is a potential security hole, since it works as a (maybe insecure) pseudo-random number generator when there is not enough entropy in the pool. Use /dev/random instead.
- The keyfile generation looks odd. Normally you should use the procedure outlined in the loop-aes readme, generating 65 keys.


Regards,
Lotharster

- I was under the belief tmpfs creates a ramdisk and that the files are located in the computer's RAM instead of the disk? Thus making it impossible to recover the files after a boot, since they were never on the disk in the first place. Have I been completely wrong?
- Agreed about the /var-partition. I am considering encrypting it as well.
- My passwords contain 10 - 20 big & small letters and numbers.
- Typo in the first post, I did use /dev/random to generate the key. Fixed.
- Will look into the Loop-AES readme. I think I copied that command from some article on the web.

Thank you for your observations.

You are right - I confused this with a normal /tmp partition. A tmpfs resides in RAM and swap, and since the former vanishes on power down and the later is encrypted anyway, this should be safe.

Alright, then I have accomplished what I wanted to.

I have just been recently wondering, whether Enc-FS or DM-Crypt might be more preferable to Loop-AES. I know that Loop-AES is the fastest out of these three (saw benchmarks), but could the other 2 provide perhaps more security?

What would be the best way for me to try to "spy" my own files from an encrypted, unmounted partition and this way verify that they are indeed secured?