11-04-2019, 11:29 AM
(This post was last modified: 11-04-2019, 11:41 AM by Der Geist der Maschine.)
(11-04-2019, 11:02 AM)jpakkane Wrote: If encrypting just the home directory is enough (and for most people it is), then ecryptfs is an option.
I have to admit I have never heard of eCryptfs.
Benchmarks: https://www.phoronix.com/scan.php?page=a...-418&num=1: eCryptfs is slower and has a higher cpu overhead.
Functionality:
ECryptsfs can't encrypt swap.
ECryptfs does not require a dedicated partition. That's not a problem on my desktop where I have lots of hard disk space, but a big plus on my Pinebook Pro where I can't afford to "lose" diskspace by having free diskspace on the wrong partition.
By the way, what does one gain by full-disk encryption? The term is misleading as one does not encrypt the /boot partition including the kernel and initrd.
If one wants to prevent someone from tempering with the root filesystem, then that's also possible by replacing the initrd with one that that includes a backdoor. The backdoor can modify the root filesystem right after it's unencrypted and before the boot continues.
(11-04-2019, 11:02 AM)jpakkane Wrote: It won't work on the Debian image, though, because the required kernel module is not available.
There is no voodoo magic in building the right kernel module.
