Ubuntu – Does ecryptfs-setup-private use real time encryption


I'm trying to encrypt some sensitive files on my computer, and I'm trying to figure out what the best option is. I'm considering using ecryptfs-setup-private or a True Crypt file container. I like ecryptfs because it seems more native to Ubuntu (it's in the repository after all), and it makes sense to have Private in my home directory.

What I want to know is this: if I hibernate or have a hard power off while the Private directory is mounted, can someone use a live cd or mount my hard drive on another computer and see the contents of Private, or is Private encrypted real time while I am accessing files?

Best Answer

I'll answer this question, as the author of ecryptfs-setup-private, and one of the maintainers of eCryptfs.

eCryptfs provides very strong cryptographic protection of your data "at rest" -- ie, when your system is powered off or hibernated. However, you should beware that when your system is running, and your home directory is mounted, your data is protected exclusively by DAC (Discretionary Access Controls) -- ie, UNIX filesystem permissions. By default in Ubuntu, if you're using an Encrypted Home Directory, then your $HOME directory has 700 permissions -- so no other users on the system besides you (and root) will be able to see your data while its mounted. Now when your data is mounted, then it is safely locked away in encryption.

As always, you should still have a very strong LOGIN passphrase, however. Your LOGIN passphrase is used to encrypt and decrypt a much longer and strong randomly generated mount passphrase, which is stored in $HOME/.ecryptfs/wrapped-passphrase. If an attacker has access to $HOME/.ecryptfs/wrapped-passphrase, then they can try and decrypt that file by guessing your LOGIN passphrase. If they do decrypt that, then they will have access to your long/random MOUNT passphrase and your data is no longer safe. As a stronger measure of security, some paranoid users (such as myself) store their wrapped-passphrase file on secure removable media such as a USB key or an SD-card, and use a symbolic link to link it into place at $HOME/.ecryptfs/wrapped-passphrase. This should only be attempted by expert users.