Ubuntu – decrypted files stored during runtime

ecryptfsencryptionfilesystem

I wonder where does Ubuntu/eCryptfs store decrypted files from encrypted $HOME directory during runtime.

  • Does it decrypt files just-in-time and store them only in RAM?
  • What about large files (e.g. 1080p movies with 20Gb)?
  • Is it possible that there are some decrypted files left on HDD after system shutdown?
  • Does the decrypting/encrypting affect OS performance significantly?

Best Answer

Decrypted files are stored in RAM. The decryption (or encryption, when writing) happens on the fly, block by block and not for a whole file at once. When an application reads a block from the file, the file is decrypted by a layer between the disk driver and the filesystem driver.

Decrypted files are not written to disk, but an application could write data to a non-encrypted filesystem. In particular, if you have encrypted filesystems, you should encrypt your swap space, since the data in application memory can end up in the swap space. You should also encrypt directories that applications use for temporary storage, such as /tmp (which can be made tmpfs and so be stored in the swap space), /var/tmp, /var/spool/postfix (emails), /var/spool/cups (documents being printed), etc.

Whether the encryption affects performance depends a lot on the ratio between processor speed and disk speed. With slow disks and a fast processor, you won't notice anything. With a slow processor and very fast disks, you'll feel the pain. Recent Intel and AMD processors have hardware accelerators for AES (AES-NI) which recent Linux kernels take advantage of.

Related Question