Of all my locally stored data, I encrypt ...
Displaying poll results.25817 total votes.
Of all my locally stored data, I encrypt ...
"Life begins when you can spend your spare time programming instead of watching television." -- Cal Keegan
No need (Score:5, Funny)
Re: (Score:2)
For sure!
Re:No need (Score:5, Funny)
Naked pictures of me IS the security. I have all my sensitive documents hidden within a folder within a folder within a folder filled with naked pictures of me.
It's the perfect reverse porn hiding place.
Re: (Score:3, Funny)
Would that be called 'Rule 43?'
Re: (Score:2)
Re: (Score:3)
This reminds me of an attack on a Windows user that involves deep directory trees.
All current versions of Windows have a path length limit of 256 characters. If you create a directory tree that ends up longer than the path limit the user won't be able to delete it via the normal Explorer shell or command line. At the lowest level they won't even be able to open or rename the last folder, so an attacker could call it something like "bomb making plans" and there would be no way for the victim to change it. Th
Re: (Score:2)
If. Explorer hasn't, and neither have most other file-manipulation apps.
Re:No need (Score:5, Informative)
Obligatory (Score:5, Insightful)
Obligatory XKCD:
http://xkcd.com/538/ [xkcd.com]
Re: (Score:3)
It depends on what the burden of proof is, at which point it becomes a legal question. If they suspect that it exists, then in some jurisdictions you could be forced to hand over the keys/passwords (e.g. England). It's also worth noting this can work against you - in some jurisdictions, the burden of proof is on the defendant for certain crimes (e.g. this was the case in Victoria, Australia for drug possession charges until R v Momocilovic, where the High Court ruled the statute could not be enforced due to
Re:No need (Score:5, Funny)
Re: (Score:3, Insightful)
This is /.
those don't exist here.
Re: (Score:2)
You never know. The numbers are very low though. :(
Re: (Score:2)
Re: (Score:2)
Nope, I did say a gal. :P
Depends on the machine (Score:2, Interesting)
My netbook has full drive encryption. My desktop is less digitally secure but less likely to fall into "hostile" hands.
Re:Depends on the machine (Score:5, Funny)
My netbook has full drive encryption
...and is featured on the wikipedia page for "slow".
Re: (Score:2)
Re: (Score:2)
The downside of this approach is the risk of data leaking onto the unencrypted volume, through temporary files, swap space, browser caches, files inadvertantly saved in the wrong place and so-on.
If you use linux you can mitigate this by disabling (or encrypting) swap and using ramdrives for /home, /tmp, /etc and /var so everything not explicitly saved is wiped out on reboot. For distribution updates you would need a script that resets /etc and /var to the stored state, clears /tmp remounts root read/write,
Dropbox (Score:5, Interesting)
I have a small (2 MB) TrueCrypt container for sensitive data inside my Dropbox. I use it to store things like scans of my passport and issued tax ID code (it's a thing that my country has that you have to have to do banking) should I need them on the go. I also keep my passwords encrypted inside the Dropbox with KeePass.
However, now that I trust Dropbox less than I used due to some SNAFUs on their part I might introduce per-file encryption for everything in it. The problem is that there's apparently no cross-platform solution to do it for me.
Re: (Score:2)
I have been looking for some piece of cross-platform encryption for just that: so I can keep a file of my passwords and not have to worry about someone else getting access to it. I'm thinking of writing something in Perl but wonder if there's already a good alternative.
Re:Dropbox (Score:5, Informative)
I have been looking for some piece of cross-platform encryption for just that: so I can keep a file of my passwords and not have to worry about someone else getting access to it. I'm thinking of writing something in Perl but wonder if there's already a good alternative.
Use KeePass. It can encrypt with AES or Twofish, works on Linux and Windows (probably on Mac too), has a good interface and is free software.
Re: (Score:2)
KeePass looks good. Thanks.
Re: (Score:2)
GPG combined with text files (one per service/site) that contain the encrypted ASCII text blocks. Easy to backup (you could even print the ASCII block out on a piece of paper) and as secure as you keep your GPG key(s). It's probably the b
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I do the exact same thing, and now you've got me curious. What snafus have occurred that would actually affect the security of things like TrueCrypt and KeePass? I've been operating under the assumption that as long as I use strong passwords, they're pretty much impenetrable.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Wrong name. Given the usual meaning of "spider" in a computer context I personally find it hard to trust a company with that name. It's not that I believe that they are actually collecting information through a loophole, it's rather that I can't trust the expertise of people who call a company for secure data storage "SpiderOak". Or do they release the source code of their applications?
Re: (Score:2)
I'm naive enough... (Score:5, Interesting)
Re: (Score:2)
... to think that I'm uninteresting and inconsequential enough that nobody would ever be interested in my /home/ directory.
I hide behind a router and firewall, and run GNU/Linux. Isn't that enough for us peons?
I do that too. I have one encrypted file, which stores password hints for infrequently used logins. (The "hint" is something like "9...a...N", which means "my too-often-used password beginning 9, the too-often-used password beginning a, and the letter N, or a unique word beginning with N".) It's encrypted using GPG.
Re: (Score:2)
Re: (Score:2)
I have one encrypted file, which stores password hints for infrequently used logins.
I do something similar using a "passwords.txt" file in an encfs [arg0.net] container.
Re: (Score:2)
What is that N-word? I know about the F but not the N.
Nerd...
Don't say it in public; you could embarrass yourself.
Re: (Score:3)
Isn't that enough for us peons?
Probably more than enough, yes.
Encryption against "bad guys": they beat it out of you
Encryption against the cops: they charge you with a dozen other things.. and depending on where you live, probably charge you for hindering an investigation or such.
I encrypt everything, but more because I have a weird interest in it. I also run seperate isolated networks (internal/external) and have individual firewalls on all my boxes.. all of which I recognize as serious overkill, as the threat I am most likely to face i
Re: (Score:2)
Re:I'm naive enough... (Score:4, Funny)
You don't want to know.
Re: (Score:2)
I guess, but I figure if the cops are wanting to get at my computer.. whether I know about it or not.. I'm probably boned ;p
Re: (Score:2)
Re:I'm naive enough... (Score:5, Insightful)
No, we should all encrypt everything by default. Otherwise encryption looks suspicious and laws like RIPA can target people who use it. If everyone encrypted everything it would be much harder to make prosecute any particular individual.
Obligatory xkcd reference. (Score:4, Insightful)
Re: (Score:2)
That's probably the best example of what "physical access to the device" could mean.
Re: (Score:2, Interesting)
I'm pretty sure that by the time a shadowy government organization is literally beating you with a wrench, they have probably abandoned due process, do not care about plausible denials, will assume that any hint you have ever used TrueCrypt proves you have a hidden partition, will be determined to persevere until you crack and show them something incriminating, and are li
Re: (Score:2)
This is where plausible deniability comes in. TrueCrypt's encrypted hidden OS -scheme is entirely safe, even from physical attacks on you.
Plausible deniability protects you from certain legal attacks in halfway civilized countries. It doesn't help at all against physical attacks. To put it another way, once someone starts to torture you to obtain the password of the hidden volume, you would very soon deeply regret it if there wasn't one...
Re: (Score:2)
I honestly can't be bothered (Score:5, Funny)
having screwed up every disk partitioning scheme I have tried and rm -rf * on my laptop /home the other day why would I trust myself with something complicated?
I have enough drama trying to get motivated to do backups
Home directory, backups, flash drives, etc. All! (Score:5, Interesting)
I have all my harddisks encrypted. Less of a hassle than remembering to store everything just in /home (/srv anyone) and then forgetting about caches in /tmp or /var/tmp.
And I am quite glad for it, as I have had a laptop stolen with a lot of private stuff on it, too.
Re:Home directory, backups, flash drives, etc. All (Score:4, Interesting)
I also want a box that boots without password, but still has a lot of stuff encrypted.
Two solutions I've found are decent:
(1) eCryptfs [launchpad.net] -- it allows you to login, and using a wrapped passphrase, decrypt and auto-mount your encrypted home directory. Thus, you login and your /home/{user} is now available. Root can't even read your homedir if you're not logged in, but he can when you are logged in.
(2) Truecrypt mounted over-the-top of /home (and /whatever else like /tmp if you're worried about cache and such). The idea is once the box reboots, you login as a regular user (gui/console or ssh) then sudo to root; then you mount your TC encrypted partition over the top of /home. Logout and back in as a regular user and you're in! Then anything you stash under /home (say /home/backup/ for your portable devices) is thus encrypted. Obviously you back all that up to a separate encrypted partition on another device (external hdd or 2nd box). Any files in the original /home are not accessible when you mount over-the-top until you unmount the encrypted container.
Nice bonus about #2 is you can give someone your login password, but not truecrypt passphrase, and the user can still login and see a few files and such without being aware of a single/double TC partition.
UEFI to help? (Score:2)
If the box boots at runlevel X and only starts SSH and a few other essential services for you to remote into it, then after you mount /home, /tmp, /var over the top, change to runlevel Y for everything else. I don't use swap, or I manually 'swapon' a swapfile from an encrypted+mounted partition.
I guess it depends on the level of encryption you need. If it's just your homedir you're worried about, and the apps you use don't write to /var (besides /var/tmp), then mounting over the top is just fine. All your
How important is your data? (Score:2)
I use a combination of encryptions and physical separation of data from system - the data is encrypted as-it-goes, the drive itself is full encrypted, and that drive sits in a Phoenix safe. A monthly backup goes elsewhere, which is also encrypted using a different method.
Re: (Score:2)
I have two classifications of data: replacable (rips of DVDs I own, music I own, stuff from the net, etc) and irreplacable (projects, documents, photos).
I have an internal file server, where all the data is encrypted. My media directory is shared over NFS, my home directory files are shared over sshfs.
For backups I've got a few copies of the irreplacable stuff. I have two external hard drives that I rotate periodically and backup to using rsnapshot. I have recently also started backing up to my linode VPS a
Re: (Score:2)
Only selected files (Score:2)
Only selected files that contain sensitive information.
Encrypted or obfuscated? (Score:5, Insightful)
What about on media that is nearly unreadable these days? I've got stuff on mag tape, punch cards, ST506 drives and SASI disks.
Re: (Score:2)
Moving to much greater encryption (Score:2)
I set up most of the computers I use now in a more innocent time. Right now I just encrypt my backup drives, but I plan to move to full-disk encryption on all my mobile computers. No plans to encrypt the home server or gaming PC yet.
Just the backup hard drive (Score:2)
on the theory that it's easier for that to grow legs. When this computer gets replaced by something that accelerates AES I may consider crypting the internal hard drive as well.
I have an unbreakable encryption (Score:5, Funny)
I store the one bits on one machine and the zeros on another.
Re: (Score:3, Funny)
Wow! Do you compress it?
Re:I have an unbreakable encryption (Score:5, Funny)
I use a similar scheme with compression and it thus takes only one machine; I write all the zeros to /dev/null. They are easily retrieved from /dev/zero
Re: (Score:2)
Re: (Score:2)
Muhuhuahaaahhhaha! Good Luck! Mahuahuahuaaaa!!
Re:I have an unbreakable encryption (Score:4, Funny)
Ahh, but once I figure out which is which, all your data will be mine! Hahahaha!
Hint: the ones are the long skinny things and the zeros are the round things with holes in their middles.
Re: (Score:3)
I store the one bits on one machine and the zeros on another.
Seems a great way to run a RAID system with only 2 drives. Incredibly efficient too, since you don't actually need to commit your writes (they always only contain zeros or ones). And if one disk fails, you replace it, do "dd if=/dev/zero of=/dev/sdd" on it for the '0' disk and you have restored all your data. Of course you have to remember which one holds the zeros and which one holds the ones, otherwise you are screwed.
Passwords and Financial Data (Score:3)
Nearly all of my personal documents are incredibly mundane, I have a KeePass database and a TrueCrypt file for my Banking and other financial docs that may contain vital personal info...
How do you do "All"? (Score:4, Interesting)
For the people that choosed the "All!" option, aren't you afraid of losing a key and being unable to access all of your data? I'm quite afraid of encrypting backups already (encrypt in transit, keep it in trusted locations seem way more secure). I can't imagine how one sleeps at night knowing all their /home is encrypted.
(I've once lost the key of my laptop. No big deal, I have backups for that. But I don't have backups for the backups...)
Re: (Score:2)
What about corruptions? That also suck and backups are important again.
Re: (Score:2)
Based on my experience with HDDs, I generally expect catastrophic failure rather than corruption so I'm no more or less screwed than you. There's no "master key" to everything, each disk can be opened individually with my passphrase. Which I remember. And short of brain damage I don't think I'll forget that and in that case I got bigger problems.
Since encryption is the topic (Score:2)
Re: (Score:3)
In previous versions of OS X (Pre 10.7), FileVault just encrypted home directories, that is the home folder was just an encrypted writeable disk image. The problem arose with the introduction of Time Machine in 10.5. Time Machine and FileVault did not work very well together because Time Machine would back up the whole home directory every time a file within it was changed. In Lion, with FileVault on, only the changed files are backed up with Time Machine.
If you want to just encrypt one folder tree, just ma
Re: (Score:2)
Re: (Score:2)
You can install encfs on the Mac too. There are even GUI add-ons available for it, though personally I don't use them.
Re: (Score:2)
Doesn't OS X have any filesystem-level encryption like ecryptfs or encfs on Linux? Seems like a weird oversight.
Yes it does and it is built in. But it is not supported for the boot partition.
As the parent to your post said, you can easily create encrypted disk images that grow as they are used which you can mount by double-clicking on it. OS X will then ask for the key before the image is mounted.
Backups! (Score:2)
All backups are encrypted, of course. Mostly because copies of them are stored elsewhere.
Other than that, nothing except some USB sticks with the most sensitive data. If I did a new install from scratch today I'd probably do a full disk encryption (just click another button in the Debian installer) but I'm too lazy to change my existing systems.
"local data"? That's sooo 20th century! (Score:4, Funny)
Anyone who's withit stores it all in the "cloud". No need for boring encryption: you know you can trust Carbonite.
Safer hard drive disposal. (Score:2)
I encrypt everything not because I'm paranoid or have anything super secret but because it is easier to dispose of old hard drives. When I replace a drive I simply throw the old one away. I don't have to spend any time wondering if there was anything on there I needed to wipe. I don't have to spend any time worrying about how to wipe a broken drive.
Re: (Score:2)
There's another, better way.
Pop the thing open, and jab a screwdriver through the discs. Maybe hammer them out of shape a bit, too. It's not exactly hard or particularly time consuming - about five minutes each.
That's the system the DoD and NSA use. They're predictable paranoid in assuming that anything they can do (or even think they'll be able to do), anyone else can do. If you want to protect your stuff from them (and you probably should), just use their own procedures.
Re: (Score:2)
I just use HDDErase followed up by DBAN and call it done. If anyone gets any data from it that is usable, they deserve to have it.
BFH Erase followed by DWOODCHIPPER has never failed me.
IronKey USB (Score:2)
I have an IronKey USB thingamajig from ThinkGeek that I stuff all mission-critical private data on to. Although, to view the data I need to decrypt it, and since just about every OS duplicates that data into unsecure swap space, it feels kinda pointless... but it makes me feel good anyway.
Re: (Score:2)
Re: (Score:2)
I have one of these. 4GB, supplied and mandated by Work (tm). I keep all work related and sensitive files on it.
Yes, it does you no good once it is plugged in and decrypted to expose the drive.. but then again how is that different from Truecrypt?
As the other responder said, the main purpose here is for when the device is lost. I've lost several tiny 4GB drives .. mostly because they were in my pocket without a leash.. but they were for casual file transport... and did not have anything important.
Work manda
/etc/shadow (Score:2)
Its encrypted and it's local. So I think a larger should have *technically* picked the 5th option.
Portion of home, plus backups and assorted other. (Score:2)
I don't encrypt my music, pictures, or movies folders, but do encrypt documents and non-"documents" application data folders. Plus all backups. If I had a system that could do full-disk encryption in hardware, rather than software, I'd use it.
Isn't the problem with encryption... (Score:2)
that if you have just one bit faulty in the entire encrypted volume, the entire thing becomes unusable?
Try making a quick TrueCrypt volume, and using a hex editor to change a byte. The whole thing is useless.
So if there's a failure in storage on your SSD or HD, everything's ruined. If it was not encrypted then you'd probably not even notice.
Re: (Score:2)
not true, changing a bit only corrupts a TrueCrypt ciphertext block (128 bits). You only have to deal with corruption to the same extent you would have to with normal filesystem, as long as you remember to make backup copies of volume header (lose that and you can't mount the volume)
Re: (Score:2)
If that was true, then writing one bit of data would require re-writing the *entire* hard drive. Any encryption system where writing 1 byte takes less than ~5 hours will not corrupt the whole hard drive if one sector goes bad.
However... hard drives go bad all the time, so you need backups anyway! My drive can die any day, and I won't loose more than a couple hours work.
Re: (Score:2)
For each block to fail independently, you must use an insecure block chaining algorithm. That stops being an issue if your blocks are big enough, but then, it is another case of reliability vs. confidentiality.
Only What Is Needed (Score:2)
For what it's worth: I use TrueCrypt as it is cross-platform and I back up my whole containers to two off-site locations in another country. And to manage passwords I use KeePass and KeepassX.
Anything else, you inquisitive so-
Mac OS X Full Disk Encryption (Score:2)
I turned on the new full disk encryption feature for months and never noticed any real performance issues. Intel's hardware accelerated encryption is plenty fast enough to keep up with a hard drive's i/o speed.
But because the whole system is encrypted, it moves the login screen to before the system even starts booting, and that mini-os had a couple of bugs when switching from one monitor to another. So I turned it off last week. I'll turn it on again one day after they've ironed that stuff out.
Only the Porn (Score:2)
Key management? (Score:5, Insightful)
The difficult questions are:
- How do you manage your encryption keys?
- What is your procedure for changing them?
- How many bits of entropy does your key really have? Did you say you used AES-256?
Encryption is easy. Proper key management is hard.
Not just my home directory... (Score:2)
... i.e. /home/karellen, but the whole /home partition.
Well, to be more precise, I encrypt the /var partition, and /home is a bind mount to /var/local/home
Re: (Score:2)
Re: (Score:2)
Heh, expect to get detained for a looooooong time if you actually did something like that. (Actually, scratch that, they'd probably just send you back from whence you came.)
Re:...you'll have to beat it out of me: (Score:4, Funny)
...you'll have to beat it out of me...
I find your proposal acceptable
Re: (Score:2)
Re: (Score:2)
Only /etc/passwd. (is there other files with default encrypted content on a standard ubuntu box?)
/etc/shadow, actually. /etc/passwd doesn't normally contain passwords.
While not technically encrypted by default, Firefox's password database is usually encrypted. I have a few more files that contain access information for other things. I encrypt those.
But that's about it. None of my other files contain information that I consider sensitive. Give the choice between "nothing" (factually incorrect), and "a portion of my home directory" (highly misleading), I chose the misleading option.
Re: (Score:2)
Why bother, if you go through the effort of encrypting, when you get attacked by the FBI they will just point there guns at you and demand you give them the password.
Depends on what your threat model is. I use full disk encryption on things i regularly carry around. The main threat I am protecting against is the one I feel is most likely: accidently misplacing the media, e.g. forgetting it somewhere. That way, I don't have to think afterwards what I had on the disk and how it will come to bite my ass.
If the police with proper warrant, or robbers threating with violence, want my password, I will give it to them. But I consider both cases rather unlikely.