[gentoo-user] Encryption questions

[gentoo-user] Encryption questions

[Dale]

Howdy,

As some may know, I'm making some changes and upgrades to my puter.  One
thing I'm considering, encryption of a select directory/mount point/file
system.  One thought I have, create a mount point named say "Encrypted"
and put anything I don't want widely seen or hacked in that directory. 
That would likely be on it's own partition or LVM setup.  I would likely
keep other things open.  Example, I may have /home on a partition of
it's own but then have the encrypted directory mounted on
/home/dale/Desktop/Encrypted.  I could even let that be my Documents
directory as well.  I'm not to worried about browser history etc.  Plus,
I could log into KDE and not have to access the encrypted stuff if it is
not needed.  I don't need encryption to check the weather.  lol 

How I do that isn't a big deal really.  My main question is this.  If I
go to the trouble of doing this, would I be *really* protected?  Is
there a easily used encryption tool that isn't easily hacked?  Also,
when I login, I'd like to be able to type in password etc and it be
available from that point on, unless I do something to lock it up
again.  Reason, I may even put some of my videos on that.  I watch TV
from that a lot.

Also, how hard would it be to do the same to my backups, since having a
open set of backups would render the encrypted part just available
elsewhere? 

While I get some of how encryption works, I don't keep up with it on a
weekly or even monthly basis.  I just see the occasional articles on
it.  I'd rather ask and get input from someone who uses and/or is more
familiar with this.  In other words, if it is worthless and someone
knows it is, then let me know.  If one tool is better/easier/etc than
another, I'd like to know that as well. 

Thanks.

Dale

:-)  :-) 

Re: [gentoo-user] Encryption questions

[Grant Taylor]

On 12/9/18 4:46 PM, Dale wrote:
> Howdy,

Hi,

> As some may know, I'm making some changes and upgrades to my puter. 
> One thing I'm considering, encryption of a select directory/mount 
> point/file system.

Please elaborate on a hypothetical setup that you would like.

It might be worth starting with your current directory tree and calling 
out things you would like to see encrypted.

> One thought I have, create a mount point named say "Encrypted" and put 
> anything I don't want widely seen or hacked in that directory.

I understand why you are doing it.  But I feel like having "Encrypted" 
in the name is like painting a target on it.

> That would likely be on it's own partition or LVM setup.

Depending on how you do things, it might be possible to have your 
encryption in the same LVM configuration.  Or possibly a separate LVM 
configuration that has multiple logical volumes in it used by different 
mount points.

> I would likely keep other things open.

What is your reason for keeping other things open?

Or, asked another way, why not use full disk encryption? Or at least 
encrypt the entire volume group?  That way you don't need to worry about 
what is and is not encrypted.

> Example, I may have /home on a partition of it's own but then have the 
> encrypted directory mounted on /home/dale/Desktop/Encrypted.  I could 
> even let that be my Documents directory as well.  I'm not to worried 
> about browser history etc.  Plus, I could log into KDE and not have to 
> access the encrypted stuff if it is not needed.  I don't need encryption 
> to check the weather.  lol

Since we're talking about LVM, please clarify if /home is it's own 
partition outside of LVM or if /home is it's own Logical Volume inside 
of LVM.  It makes a difference.

I strongly believe that you should not feel like you have to change your 
use case to use technology, encryption in this case.  Rather the 
computer should change what it does so that what you have been doing and 
will continue to do is now encrypted.

> How I do that isn't a big deal really.  My main question is this.  If I 
> go to the trouble of doing this, would I be *really* protected?

It depends.

> Is there a easily used encryption tool that isn't easily hacked?

I believe so.

> Also, when I login, I'd like to be able to type in password etc and it be 
> available from that point on, unless I do something to lock it up again.

Are you implying that you want the encryption system to remember the 
password and unlock files as necessary?  Or are you wanting to enter the 
password into something that uses it then and there to unlock things 
until you lock them back up?

That's an important distinction.

I have done a fair bit with LUKS, also LUKS and LVM.

LUKS works by unlocking the encrypted block device and creating another 
virtual block device that is the unencrypted interface.  It's trivial to 
put a file system on top of a LUKS device.

So, my use case was to unlock a LUKS device and mount the file system 
that sits on top of it.  Then anything on the system (with proper file 
system permissions) could access the files therein.  Then when I was 
done, I would unmount the file system and lock (close) the encrypted device.

I have also dabbled with eCryptFS, which applies encryption as an 
overlay.  So when you access encrypted files through the overlay, they 
would be read from the unencrypted on the fly.  Writing to the files to 
the unencrypted overlay would encrypt the files and write them to the 
underlay.

Depending on the configuration, it's not possible to see the names of 
the files (or directories), much less actually read them from the 
encrypted underlay.

> Reason, I may even put some of my videos on that.  I watch TV from that 
> a lot.

Okay.

> Also, how hard would it be to do the same to my backups, since having 
> a open set of backups would render the encrypted part just available 
> elsewhere?

Backups are another thing entirely.  Things like LUKS will usually not 
translate to encryption with backups, because the backups see the 
mounted file system.  Things like eCryptFS can work with encrypted 
backups, because they can work with the underlay file system that holds 
the encrypted files while ignoring the unencrypted overlay.

There are also other possibilities of encrypting backups that are 
completely independent of the files that are being backed up.  Sort of 
like a big encrypted tape drive or backing up files to a LUKS file 
system that is subsequently unmounted & locked.

> While I get some of how encryption works, I don't keep up with it on a 
> weekly or even monthly basis.  I just see the occasional articles on it. 
> I'd rather ask and get input from someone who uses and/or is more familiar 
> with this.  In other words, if it is worthless and someone knows it is, 
> then let me know.  If one tool is better/easier/etc than another, I'd 
> like to know that as well.

I don't think encryption is worthless.  I encrypt many of my emails and 
sign most others.  I also have a LUKS encrypted file system on my VPS.

It really depends on what your goal is and what you're trying to protect 
from / against.



-- 
Grant. . . .
unix || die

Re: [gentoo-user] Encryption questions

[Dale]

Grant Taylor wrote:
> On 12/9/18 4:46 PM, Dale wrote:
>> Howdy,
>
> Hi,
>
>> As some may know, I'm making some changes and upgrades to my puter.
>> One thing I'm considering, encryption of a select directory/mount
>> point/file system.
>
> Please elaborate on a hypothetical setup that you would like.
>
> It might be worth starting with your current directory tree and
> calling out things you would like to see encrypted.

Well, I don't really think I need to encrypt the entire /home mount
point.  To me, that would be overkill.  Of course, that may be easier. 
I would like to have certain directories that I can store things in that
is encrypted.  For example, I have some financial and medical stuff that
I wouldn't want just anyone to get a hold of if for example my puter was
stolen or hacked. 


>
>> One thought I have, create a mount point named say "Encrypted" and
>> put anything I don't want widely seen or hacked in that directory.
>
> I understand why you are doing it.  But I feel like having "Encrypted"
> in the name is like painting a target on it.

True.  I used that as a example mostly. 

>
>> That would likely be on it's own partition or LVM setup.
>
> Depending on how you do things, it might be possible to have your
> encryption in the same LVM configuration.  Or possibly a separate LVM
> configuration that has multiple logical volumes in it used by
> different mount points.
>
>> I would likely keep other things open.
>
> What is your reason for keeping other things open?
>
> Or, asked another way, why not use full disk encryption? Or at least
> encrypt the entire volume group?  That way you don't need to worry
> about what is and is not encrypted.


Well, I thought it may be simpler.  Since I've never tried encryption
before, I don't know first hand how it works or what it takes to use the
files.  I've read where people password protect their mobo, bootloader
and their entire storage system.  Basically, without the proper
passwords, you can't boot the system or access it from another system
either.  That is overkill for me for sure.  If anything, I'm on the
other end of the scale.  I just want a directory, which could be a mount
point, that is encrypted.  Knowing what tool is best may help be figure
out whether it is a mount point, a regular directory or what.  I've read
where some whole file systems can be encrypted or it can be done on a
directory level.  I'm not sure what works the best tho. 


>
>> Example, I may have /home on a partition of it's own but then have
>> the encrypted directory mounted on /home/dale/Desktop/Encrypted.  I
>> could even let that be my Documents directory as well.  I'm not to
>> worried about browser history etc.  Plus, I could log into KDE and
>> not have to access the encrypted stuff if it is not needed.  I don't
>> need encryption to check the weather.  lol
>
> Since we're talking about LVM, please clarify if /home is it's own
> partition outside of LVM or if /home is it's own Logical Volume inside
> of LVM.  It makes a difference.


I have /boot and / on their own partition.  Everything else is on LVM. 
I did that because it is easier to boot.  While I have a init thingy,
it's just enough to mount /usr.  That's it.  I don't like having a init
thingy at all tho.  I've had trouble with them in the past that left me
with a unbootable system and no way to fix it since I don't really get
them.  It's one of those things that hasn't hit me yet, even after years
of it.

>
> I strongly believe that you should not feel like you have to change
> your use case to use technology, encryption in this case.  Rather the
> computer should change what it does so that what you have been doing
> and will continue to do is now encrypted.

True but I don't want it to get in my way to much.  I'd like to be able
to login into KDE without worrying if the password works or not.  Once
inside KDE and I need to access something encrypted, then I can deal
with the password. 


>
>> How I do that isn't a big deal really.  My main question is this.  If
>> I go to the trouble of doing this, would I be *really* protected?
>
> It depends.
>
>> Is there a easily used encryption tool that isn't easily hacked?
>
> I believe so.
>
>> Also, when I login, I'd like to be able to type in password etc and
>> it be available from that point on, unless I do something to lock it
>> up again.
>
> Are you implying that you want the encryption system to remember the
> password and unlock files as necessary?  Or are you wanting to enter
> the password into something that uses it then and there to unlock
> things until you lock them back up?
>
> That's an important distinction.

Let's say I encrypt the directory or mount point that contains both
video and some financial/medical info in it.  When I click to access it,
it asks for a password.  Once it does that, I'd like to be able to use
that until I either logout of KDE or I tell it to lock it back up.  That
way I can watch TV for hours without interruption to type in a
password.  However, if I need to run to town, I can logout of the
encrypted part and leave knowing it's secure.  Make sense??


>
> I have done a fair bit with LUKS, also LUKS and LVM.
>
> LUKS works by unlocking the encrypted block device and creating
> another virtual block device that is the unencrypted interface.  It's
> trivial to put a file system on top of a LUKS device.
>
> So, my use case was to unlock a LUKS device and mount the file system
> that sits on top of it.  Then anything on the system (with proper file
> system permissions) could access the files therein.  Then when I was
> done, I would unmount the file system and lock (close) the encrypted
> device.
>
> I have also dabbled with eCryptFS, which applies encryption as an
> overlay.  So when you access encrypted files through the overlay, they
> would be read from the unencrypted on the fly.  Writing to the files
> to the unencrypted overlay would encrypt the files and write them to
> the underlay.
>
> Depending on the configuration, it's not possible to see the names of
> the files (or directories), much less actually read them from the
> encrypted underlay.


Interesting.  I've read that twice.  May read that a couple more times. 
Letting that soak in a bit.  That sounds like something I could use
tho.  It seems it would do just what I want.  Question.  Let's say I
encrypt /home entirely as a partition of LVM group.  When I login to KDE
for example, how does that work?  I already have to type in a password
to login into KDE.  Would that work for both or would it ask for a
second password?  Or would it ask even earlier than that? 

I may get on youtube and see if I can find some videos on this so I can
see it actually working.  Maybe find a couple different setups.  I'm
sure someone has done at least one.  lol 


>
>> Reason, I may even put some of my videos on that.  I watch TV from
>> that a lot.
>
> Okay.
>
>> Also, how hard would it be to do the same to my backups, since having
>> a open set of backups would render the encrypted part just available
>> elsewhere?
>
> Backups are another thing entirely.  Things like LUKS will usually not
> translate to encryption with backups, because the backups see the
> mounted file system.  Things like eCryptFS can work with encrypted
> backups, because they can work with the underlay file system that
> holds the encrypted files while ignoring the unencrypted overlay.
>
> There are also other possibilities of encrypting backups that are
> completely independent of the files that are being backed up.  Sort of
> like a big encrypted tape drive or backing up files to a LUKS file
> system that is subsequently unmounted & locked.
>

Keep in mind, my backups are a simple rsync to a external USB drive.  I
don't use fancy software.  Usually I backup my videos and such once a
day depending on what I've done that day.  I may switch to a external
SATA drive at some point which may make it even easier.  Right now I use
a script, if it even deserves to be called that, to do the backups. 


>> While I get some of how encryption works, I don't keep up with it on
>> a weekly or even monthly basis.  I just see the occasional articles
>> on it. I'd rather ask and get input from someone who uses and/or is
>> more familiar with this.  In other words, if it is worthless and
>> someone knows it is, then let me know.  If one tool is
>> better/easier/etc than another, I'd like to know that as well.
>
> I don't think encryption is worthless.  I encrypt many of my emails
> and sign most others.  I also have a LUKS encrypted file system on my
> VPS.
>
> It really depends on what your goal is and what you're trying to
> protect from / against

Mostly a common crook who just may have some puter skills.  Wouldn't
mind grinning at the likes of a NSA twerp with far to much nose.  :-D 

Dale

:-)  :-)

Re: [gentoo-user] Encryption questions

[Grant Taylor]

On 12/9/18 10:15 PM, Dale wrote:
> Well, I don't really think I need to encrypt the entire /home mount 
> point.  To me, that would be overkill.  Of course, that may be easier. 
> I would like to have certain directories that I can store things in that 
> is encrypted.  For example, I have some financial and medical stuff that 
> I wouldn't want just anyone to get a hold of if for example my puter 
> was stolen or hacked.

Fair enough.

> Well, I thought it may be simpler.  Since I've never tried encryption 
> before, I don't know first hand how it works or what it takes to 
> use the files.  I've read where people password protect their mobo, 
> bootloader and their entire storage system.  Basically, without the 
> proper passwords, you can't boot the system or access it from another 
> system either.  That is overkill for me for sure.  If anything, I'm on 
> the other end of the scale.  I just want a directory, which could be a 
> mount point, that is encrypted.  Knowing what tool is best may help be 
> figure out whether it is a mount point, a regular directory or what. 
> I've read where some whole file systems can be encrypted or it can be 
> done on a directory level.  I'm not sure what works the best tho.

I'm starting to think that something like eCryptFS would be a good 
candidate for you.

> I have /boot and / on their own partition.  Everything else is on LVM. 
> I did that because it is easier to boot.  While I have a init thingy, it's 
> just enough to mount /usr.  That's it.  I don't like having a init thingy 
> at all tho.  I've had trouble with them in the past that left me with 
> a unbootable system and no way to fix it since I don't really get them. 
> It's one of those things that hasn't hit me yet, even after years of it.

ACK

> True but I don't want it to get in my way to much.  I'd like to be 
> able to login into KDE without worrying if the password works or not. 
> Once inside KDE and I need to access something encrypted, then I can 
> deal with the password.

ACK

> Let's say I encrypt the directory or mount point that contains both video 
> and some financial/medical info in it.  When I click to access it, it 
> asks for a password.  Once it does that, I'd like to be able to use that 
> until I either logout of KDE or I tell it to lock it back up.  That way 
> I can watch TV for hours without interruption to type in a password. 
> However, if I need to run to town, I can logout of the encrypted part 
> and leave knowing it's secure.  Make sense??

Yes.

> Interesting.  I've read that twice.  May read that a couple more times. 
> Letting that soak in a bit.  That sounds like something I could use tho. 
> It seems it would do just what I want.

:-)

> Question.  Let's say I encrypt /home entirely as a partition of LVM group. 
> When I login to KDE for example, how does that work?  I already have to 
> type in a password to login into KDE.  Would that work for both or would 
> it ask for a second password?  Or would it ask even earlier than that?

I don't know what KDE has built in support for.

I think that modern desktop environments do have some integral support 
for some encryption.  I've just never used it and don't know about it.

> I may get on youtube and see if I can find some videos on this so I 
> can see it actually working.  Maybe find a couple different setups. 
> I'm sure someone has done at least one.  lol

That's probably not a bad idea.

Just be careful and review multiple sources as well as getting a 
reasonable understanding of what they are doing.

> Keep in mind, my backups are a simple rsync to a external USB drive. 
> I don't use fancy software.  Usually I backup my videos and such once a 
> day depending on what I've done that day.  I may switch to a external 
> SATA drive at some point which may make it even easier.  Right now I 
> use a script, if it even deserves to be called that, to do the backups.

That sounds like it would be best used in conjunction with eCryptFS. 
You would rsync the underlay directory like normal (it will show files 
and directories with encrypted names).  You would just want to exclude 
the overlay directory from the backup as that's the  unencrypted view.

> Mostly a common crook who just may have some puter skills.  Wouldn't mind 
> grinning at the likes of a NSA twerp with far to much nose.  :-D

Fair enough.  It sounds like you want reasonable protection for your 
files.  But you won't loose any sleep if you make the three letter 
agencies actually have to work a bit to get to your files, even if it 
just delays what may be possible.  (I don't know.  But it would at least 
slow them down.)

Re: [gentoo-user] Encryption questions

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 1953 bytes --]

On Sun, 9 Dec 2018 23:15:21 -0600, Dale wrote:

> Well, I thought it may be simpler.  Since I've never tried encryption
> before, I don't know first hand how it works or what it takes to use the
> files.  I've read where people password protect their mobo, bootloader
> and their entire storage system.  Basically, without the proper
> passwords, you can't boot the system or access it from another system
> either.  That is overkill for me for sure.  If anything, I'm on the
> other end of the scale.  I just want a directory, which could be a mount
> point, that is encrypted.  Knowing what tool is best may help be figure
> out whether it is a mount point, a regular directory or what.  I've read
> where some whole file systems can be encrypted or it can be done on a
> directory level.  I'm not sure what works the best tho. 

It sounds like ecryptfs would suit your needs best. As it works on
directories, you don't need separate mount points for each encrypted
directory. ISTR there is a PAM module to unlock your ecryptfs directories
when you log into your desktop (it needs a password login not
auto-login).

As already mentioned you can backup the encrypted files so your backups
are automatically secure. One point about ecryptfs is increases the size
of each file by a fixed amount. This doesn't matter with larger files but
if you have a directory full of smaller files, like a mail client cache,
there may be a noticeable increase in disk usage.

Encrypting the whole filesystem may be more convenient as it means you
don't have to worry about what is encrypted and what is not, but you
would need to back up to an encrypted drive.

Neither method will protect you from remote access while you are logged
in as the encrypted files will be unlocked.


-- 
Neil Bothwick

If a man is standing in the middle of the forest speaking and there is
no woman around to hear him - Is he still wrong?

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Encryption questions

[Mick]

[-- Attachment #1: Type: text/plain, Size: 2855 bytes --]

On Monday, 10 December 2018 09:25:58 GMT Neil Bothwick wrote:
> On Sun, 9 Dec 2018 23:15:21 -0600, Dale wrote:
> > Well, I thought it may be simpler.  Since I've never tried encryption
> > before, I don't know first hand how it works or what it takes to use the
> > files.  I've read where people password protect their mobo, bootloader
> > and their entire storage system.  Basically, without the proper
> > passwords, you can't boot the system or access it from another system
> > either.  That is overkill for me for sure.  If anything, I'm on the
> > other end of the scale.  I just want a directory, which could be a mount
> > point, that is encrypted.  Knowing what tool is best may help be figure
> > out whether it is a mount point, a regular directory or what.  I've read
> > where some whole file systems can be encrypted or it can be done on a
> > directory level.  I'm not sure what works the best tho. 
> 
> It sounds like ecryptfs would suit your needs best. As it works on
> directories, you don't need separate mount points for each encrypted
> directory. ISTR there is a PAM module to unlock your ecryptfs directories
> when you log into your desktop (it needs a password login not
> auto-login).
> 
> As already mentioned you can backup the encrypted files so your backups
> are automatically secure. One point about ecryptfs is increases the size
> of each file by a fixed amount. This doesn't matter with larger files but
> if you have a directory full of smaller files, like a mail client cache,
> there may be a noticeable increase in disk usage.
> 
> Encrypting the whole filesystem may be more convenient as it means you
> don't have to worry about what is encrypted and what is not, but you
> would need to back up to an encrypted drive.
> 
> Neither method will protect you from remote access while you are logged
> in as the encrypted files will be unlocked.

Another thing to mention is filesystem encryption.  I don't know if ext4 
encryption is mature enough for production implementations, but this was added 
to the kernel a few years now.  sys-fs/e2fsprogs includes e4crypt which can be 
used to encrypt directories and files, each one secured with a different 
encryption key, and each encryption key protected (encrypted) with a master 
key in your keyring.  So even if one file's encryption key is cracked, the 
rest of the encrypted files should be secure.

BTW, if we're talking about a few files which are not being accessed 
frequently, it may be worth considering the use of symmetric encryption using 
a passphrase (gpg, or openssl).  This would require no additional 
configuration, overlay fs, keyrings, etc., thus making it simpler to use and 
transport.  However, the file names themselves won't be encrypted using this 
method, which may or may not be important depending on your use case.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Encryption questions

[Grant Taylor]

On 12/10/2018 02:25 AM, Neil Bothwick wrote:
> It sounds like ecryptfs would suit your needs best. As it works on 
> directories, you don't need separate mount points for each encrypted 
> directory.

The last time I looked at eCryptFS it /did/ need mount points for 
accessing the unencrypted contents.  But you don't need to dedicate an 
entire file system to the encryption.

I.e. /home/user/.precious is mounted on /home/user/precious

So /home/user/precious is a mount point, but is not backed by an 
independent file system per say.

Contents in /home/user/precious will be clear text while the contents of 
/home/user/.precious will be encrypted.



-- 
Grant. . . .
unix || die

Re: [gentoo-user] Encryption questions

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 680 bytes --]

On Mon, 10 Dec 2018 09:21:38 -0700, Grant Taylor wrote:

> > It sounds like ecryptfs would suit your needs best. As it works on 
> > directories, you don't need separate mount points for each encrypted 
> > directory.  
> 
> The last time I looked at eCryptFS it /did/ need mount points for 
> accessing the unencrypted contents.  But you don't need to dedicate an 
> entire file system to the encryption.

Sorry, poor choice of words. I really meant separate filesystems. Of
course each mounted ecrypts directory needs a mount point!


-- 
Neil Bothwick

deja vous - the act of forgetting someone's name /again/ despite being
introduced to them several times.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Encryption questions

[Dale]

Dale wrote:
>
> I may get on youtube and see if I can find some videos on this so I can
> see it actually working.  Maybe find a couple different setups.  I'm
> sure someone has done at least one.  lol 
>
>

OK.  I found a video.  It explains it pretty well.  I learned a lot. 
Here is a linky.

https://www.youtube.com/watch?v=823k8Qk47T0

One thing I like, I can understand the guy and he doesn't have some
silly music playing that makes it hard to hear.  Some people just make
things to fancy to the point it is useless.  Anyway.

I got a general idea of it.  Basically, I'd have to encrypt it on the
puter itself but also make sure any backups are encrypted as well.  I
also see that it does its thing 'on the fly' as some call it.  It
doesn't require you to tell it to decrypt something, wait a while for it
to do it, then be able to use it.  It does it as you access it.  When
done, close it and it's secure again.  That muddy water clears up a
bit.  ;-)

I plan to watch a few more, when I find some I can hear well and
understand.  lol 

Oh, I also found this:  app-crypt/veracrypt  It seems to be a GUI
interface for this.  May find a video on that too.  Still, I'd like to
have both command line and GUI tho.  One never knows about these things. 

Dale

:-)  :-) 

Re: [gentoo-user] Encryption questions

[J. Roeleveld]

On Monday, December 10, 2018 12:46:07 AM CET Dale wrote:
> Howdy,
> 
> As some may know, I'm making some changes and upgrades to my puter.  One
> thing I'm considering, encryption of a select directory/mount point/file
> system.  One thought I have, create a mount point named say "Encrypted"
> and put anything I don't want widely seen or hacked in that directory. 
> That would likely be on it's own partition or LVM setup.  I would likely
> keep other things open.  Example, I may have /home on a partition of
> it's own but then have the encrypted directory mounted on
> /home/dale/Desktop/Encrypted.  I could even let that be my Documents
> directory as well.  I'm not to worried about browser history etc.  Plus,
> I could log into KDE and not have to access the encrypted stuff if it is
> not needed.  I don't need encryption to check the weather.  lol 
> 
> How I do that isn't a big deal really.  My main question is this.  If I
> go to the trouble of doing this, would I be *really* protected?  Is
> there a easily used encryption tool that isn't easily hacked?  Also,
> when I login, I'd like to be able to type in password etc and it be
> available from that point on, unless I do something to lock it up
> again.  Reason, I may even put some of my videos on that.  I watch TV
> from that a lot.
> 
> Also, how hard would it be to do the same to my backups, since having a
> open set of backups would render the encrypted part just available
> elsewhere? 
> 
> While I get some of how encryption works, I don't keep up with it on a
> weekly or even monthly basis.  I just see the occasional articles on
> it.  I'd rather ask and get input from someone who uses and/or is more
> familiar with this.  In other words, if it is worthless and someone
> knows it is, then let me know.  If one tool is better/easier/etc than
> another, I'd like to know that as well. 

I have not read the full thread, but missed mention of a few things, so here 
is my take on the whole thing:

- Full disk encryption is only necessary if the machine runs the risk of being 
stolen. (physical access)
- Encryption will not protect against remote hacks as the OS can access the 
files when the storage is decrypted
- When using encryption, ensure swap is encrypted as well as there is always a 
risk the encryption keys can be stored on swap

Personally, I don't encrypt my desktop as the physical security of my house is 
adequate. My laptop uses full disk encryption, only the boot-partition is not 
encrypted. The decryption key is password-encrypted and stored inside the 
kernel image.
For clarity, my disk layout on laptop is as follows:
physical disk - partition - LUKS-encryption - LVM - ..... (The rest is the 
same as what you have)

--
Joost

Re: [gentoo-user] Encryption questions

[Helmut Jarausch]

I use encfs (see github.com/vgough/encfs)
It's in the portage tree.

Here is my private Readme

# Neither .Secret nor Secret should contain data before creation !!!

# CREATION  (only once)
e.g.
encfs -i 10 --ondemand --extpass=x11-ssh-askpass `pwd`/.Secret  
`pwd`/Secret

or more simply in an XTerm
encfs `pwd`/.Secret `pwd`/Secret

================
# USAGE

encfs [-i idle[minutes]] [--ondemand] --extpass=x11-ssh-askpass <TRUE  
FS> <MountPoint>

e.g.
encfs -i 10 --ondemand --extpass=x11-ssh-askpass ~/.Secret ~/Secret

or more simply in an XTerm :  (>>> always use the full path of both  
folders)

encfs ~/.Secret ~/Secret


=========
After Usage
=========

fusermount -u ~/Secret

If you shut down the machine you don't need to do fusermount -u.


BackUP : ~/.Secret  and remember password (e.g. using  
app-admin/keepassxc)

Important Note :

ENCFS does not hide the length and modification date/time of a file
If that matter you can archive several file in a tar-file before  
encryption.