The issue of encrypting your data is far more complicated that I'd like it to be. After doing this on my work laptop running OS X and my personal netbook that I'm using as a "portable computing experiment," I can say there is significant difference in the experience.
I used the "default" methods for encrypting these systems. There are many options if you research online; Truecrypt is popular and cross-platform, EncFS can be used on Linux and OS X but takes some Terminal Fu to accomplish, dm_crypt on Linux,...options abound.
But here's why I chose the "Default" methods; they work. They're supported (in this case by Apple and Canonical). When you upgrade the operating system, there's a far better chance that the encryption isn't going to break the new installation.
The problem is that these encryption techniques are still with trade-offs, partially because of the way these encryption techniques are implemented.
Both FileVault and EcryptFS as implemented here encrypt just the home directory. This means that anything in the temporary directory or in the log files are accessible, as is the swap partition, which can hold data that was in memory and could have sensitive information tucked among the crud. The good news is that odds are very good, since Linux and OS X are "UNIX-based" in design, that your personal data is contained within the home directory.
When you log in, the encrypted volumes are mounted so you can access the data. This means that when you're logged in malicious software can access your unencrypted data. In other words, encryption isn't a cure-all for security.
EcryptFS on Ubuntu stores your files as files on top of the filesystem. This means that if I were to look at my username's files when that username is logged off, say, by logging in as root, the files look like gobbledeygook. Each "real" file appears as a string of nonsense. There's a one to one correspondence...the encrypted file will still allow a nosebag to see when I created the file or last accessed the file, the approximate size of the file, basically they can get a lot of metadata without seeing the actual content or name of the file. This means that it's a lot easier to back up the files to another media.
FileVault is implemented using a "filesystem within a file". If I log in as my secondary user (more on that shortly) I see a huge number of files that comprise a sparse disk image. When I log in as my normal user, OS X takes the image files and combines them into one big container, and my files are contained within that container file. (To be more accurate, the many files are contained in a bundle, so within Finder you only see the top level bundle).
The reason the FileVault image was broken into many smaller files was because of an issue with Time Machine. Originally the encrypted volume was one giant file. If the user was logged in and then a backup was run, the backup will see that giant file has changed whenever even a tiny change was made in your home directory (since your home directory was actually contained in that giant container file). Apparently users got irritated at backups that took hours to complete when only a couple of documents changed.
Later versions of OS X changed the single giant volume into a number of smaller files. That way one small change doesn't trigger a backup of an entire multi-gigabyte file repeatedly but rather a single chunk of the volume.
In contrast, the EcryptFS method of using a one-to-one file encryption means that backups are simpler and faster. You alter one document, that file is the only one that changed and thus the nonsense-i-tized file will be backed up to your storage media.
It's also because of the OS X "container" approach that when using a utility like Carbon Copy Cloner for making images and backups of your computer that Bombich Software recommends you make sure you're logged out of any FileVaulted accounts. On the OS X system I had to create a second administrative user to do backups from.
Neither solution gives full-drive encryption, arguably the most secure. It is possible to configure a new Ubuntu system to encrypt an entire volume at installation time, but to do so means installing from the alternate installation CD. Not exactly user-friendly. So you balance security and convenience, accepting that anything in the temporary caches outside the home directory or anything in swap area could be recovered. On the other hand this means less of a performance penalty for accessing routine system files, since any encryption means having the CPU jump through more hurdles to decrypt information before you can access it.
Encryption adds a layer of security in case your notebook is stolen. The price is that it also adds a layer of complexity. Recovering your data in the event of drive corruption is far more difficult, and in the case of FileVault, if part of that container file is damaged you will most likely lose everything in your home directory. This makes having a backup even more important. Encryption adds processor overhead, so it slows the computer.
One last point I have is that these only encrypt the home directory. Since I'm using a netbook, my expansion storage area on the SD Card or USB drive is not encrypted. If I have that with my netbook case and they're both stolen, anything on those secondary drives is open to theft. I'm sure I could find a way to encrypt the data on those drives, but then if I needed to share data with another computer or use the drives with another computer, they couldn't use it since that system probably doesn't have the same encryption scheme installed. I also make heavy use of external drives at home for expanded space and backups, and they are not encrypted.
I do think that while FileVault has detractors...there are many on the Internet claiming that it will eventually destroy your data, and they decry the shortcomings of only encrypting the home directory...Apple has made the process braindead simple. When it comes to something like encryption, options are definitely a bad thing for end users. People want to accomplish a task. They don't want to have to weigh options and choose the "correct" answer among a sea of possibilities. With the Snow Leopard version, they get protection for the home directory, the protection is implemented in-place so they don't need to move their files around to a special encrypted directory or temporary holding area, the slack space can be securely wiped after the change is made, and they don't need to play with configuration files or the command line to set up details like automatically mounting the home directory, and since it's a standard OS X feature, chances are that new versions of OS X aren't going to render your home directory inaccessible.
The EcryptFS doesn't necessarily have detractors, but for a reason that is itself a criticism...it's not widely used. Linux has a small base of users compared to Windows (or Mac OS X), and an even smaller percent of those users are even aware of the existence of encrypted home directories. It's a feature that's probably not widely implemented in the wild.
I didn't talk about Windows encryption because I don't use it. Windows has had encryption support for some time now and third-party support is, predictably, even more mature (for example, TrueCrypt supports full-disk encryption for Windows, but not for Linux or OS X). But Windows is what I work with in my day job. And it drives me nuts. And one thing encryption will not protect you from is spying when you're already logged in with access to your encrypted volume, and the market for malware on Windows is more mature than the malware market for Linux and OS X as well.
What does that mean? It means that if spyware gets installed while you're logged in, the disk encryption can't prevent that spyware from uploading your documents or opening the machine to remote access to an attacker. The encryption only guards you from having your data stolen if your laptop is stolen; the attacker looks at your hard drive and finds nonsense instead of your banking information if they don't have your password.
It's all a balancing act. The two operating systems I am implementing encryption on stay true to their roots. OS X made it simple and painless. Linux makes it a hidden feature for people who dig under the surface to find the Easter eggs. Neither one is a panacea but are instead an added layer of security.
I Fight For The Users
5 months ago
Posts
ReplyDeletewindows 7 home premium anytime upgrade product key , winwos 7 proffesional key , keygen windows server 2003 web edition , Genuine Windows 10 Pro Online Key Sale , windows 7 enterprise sp1 product key , win 7 keygen , Genuine Windows 8.1 Standard Product Key , windows 7 key , low8Gy
cheap office project 2013 product keys
buy windows 7 ultimate sp1 product key
Online Windows 10 Pro Product Key Store
Windows 7 Home Premium SP1 key code
buy cheap windows 7 product keys