The reason: people lose laptops
The Eden project lost an unencrypted laptop containing sensitive personal data on all 500 employees; bad but small beer when Posh retailer Marks and Spencer lost an unencrypted laptop containing sensitive data on 26,000 of its staff
A hospital lost the personal details of 11,500 children when an unencrypted laptop disappeared. A bank lost an unencrypted laptop with data about 11 million customers on and was fined for it.
Even the US Department of Homeland Security lost data on 100,000 staff, when an unencrypted external hard-drive went missing. Not to mention that Britain's top spies lose unencrypted laptops with sensitive data on. It goes on and on.
Some of this is down to archaic working practices, using office software when you should be a server-hosted applications, managers should not be wandering around with monster spreadsheets in their laptops, the information should be locked down on a rock-solid server inside a secure data centre.
However, it is also due to the laptops not running encryption at all. If someone steals a laptop with strong encryption, the data is completely unreadable to almost anyone on earth, give or take an American agency or two (probably just one).
Use Encryption, yes especially you Linux users
You can't always guarantee the physical security of mobile computers, indeed I myself had one stolen this year. However, on Linux, there is no need to leave yourself open to identity or data theft. Indeed if you are using Linux and you ended up at this blog post somehow, then you are highly likely to either work in IT or be otherwise highly technically competent. In other words, you have no excuse.
Encryption is easy to set-up, the approach I've outlined here does not require a reinstall, we are just going to swap out your home directory for an encrypted home partition. The simplest possible approach, but a big step forward in security for many of us.
You can follow my approach:
- In the introductory post, we look in general at the approach to encryption that we are undertaking.
- In the second post, we setup an encrypted partition at a dummy mount point.
- In the third post, we copy our files to the encrypted partition, set the encrypted partition to be mounted as /home and then shred the old unencrypted copies of our files.
- In the final post we have updates and feedback.
There are also many other guides out there, including:
- System Encryption DM-Crypt with LUKS - Gentoo Wiki
- A Structured Approach to Hard Disk Encryption (for Gentoo)
- Gentoo - Disk cryptography with dm-crypt
- Encrypted Filesystem Howto - Ubuntu Community Help
- Ubuntu Encrypted Filesystems Installer - straight from the graphical installer!
- Encrypting a full partition with LUKS (On Debian)
- Encrypted Root File System with SUSE HOWTO
- LUKS community documentation
- Encrypted Filesystems - Mandriva Wiki
- Disk encryption in Fedora Past, present and future
- Encrypting your swap then root partitions on Fedora
Spread the Word
Please do help with the campaign to get (at least) /home encrypted on all our Linux laptops by Christmas. Feel free to email this to your friends and user groups, if you have a website or blog then please link here, or even write a better version of your own!
Please also use the Digg entry, StumbleUpon or whatever cool social networking thing that you use.
Lastly, every campaign needs a sticker, so here it is:
Feel free to use it. Also, if it helps, here is some pre-made link code that you can slap on your blog/web site:
<a href="http://commandline.org.uk/xmas">
<img src="http://commandline.org.uk/images/christmas.png"
alt="Encrypt Home By Christmas" width="300" height="100" /></a>
What are you waiting for? Secure your /home!
<p>Hi Zeth - encrypting home is a great idea, also for general unix system
administration. Unfortunately the umask environment setting isn't very
flexible, so if you have a multi-user environment, you need to keep it at
least 027, but then your home files are world readable. By encrypting your
home, other users can access the encrypted files, but they are encrypted and
undecipherable. I do the same with my wiki software.</p>
<p>This is a great idea for a technologically ignorant thief, but more
sophisticated attacks can by-pass the encryption, accessing the DRAM after
the computer is powered down.</p>
<p><a class="reference external" href="http://www.freedom-to-tinker.com/?p=1257">http://www.freedom-to-tinker.com/?p=1257</a></p>
<p>The research team includes J. Alex Halderman, Seth D.
Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino,
Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. The full paper can
be found at:</p>
<p><a class="reference external" href="http://citp.princeton.edu/memory/">http://citp.princeton.edu/memory/</a></p>
<p>Their conclusions have been independently verified, as well. For the replies
of Microsoft, Apple, and PGP, see</p>
<p><a class="reference external" href="http://www.news.com/8301-13578_3-9876060-38.html">http://www.news.com/8301-13578_3-9876060-38.html</a></p>
<p>Against techno-savvy thieves, encryption is obviously a limited solution.</p>
<p>Hi Albert,</p>
<p>Most Linux users walk around with unencrypted personal data on their laptops.
This is just security through obscurity, and Linux is far less obscure than
it once was.</p>
<p>Any identity thief with a Linux LiveCD or a Linux box can mount the laptop
drive and get the data. This is a real attack that can be used by anyone who
gains physical position of the drive.</p>
<p>My approach stops this level of technosavvy-ness. But of course, security is
a process, a journey not a destination, and one would want many layers of
security. Because there is a new more unlikely attack, should not stop one
preventing this more likely and more common attack.</p>
<p>I myself shutdown and power-down my laptop when on the move, I do not suspend
it. Unless the thief has a handy supply of liquid nitrogen, they have to get
my laptop into their lab and boot the new OS within a few minutes of
shutdown or the data in the RAM has faded.</p>
<p>How about TrueCrypt?</p>
<p><a class="reference external" href="http://codesnippets.joyent.com/posts/show/1554">http://codesnippets.joyent.com/posts/show/1554</a></p>
<p>What's /home do?</p>