------------------------------------------------------------------------------- Home Directory Encryption While encrypting a home on a single user machine is quite practical, anything beyond this will start to have problems. Basically there are parts of a home directory that need to remain unencrypted even while the user is not logged in. For example: * Remote Publickey SSH logins *** BIGGEST PROBLEM *** * Personal Web Page publication (not as big a problem these days) * Mail forwarding * parts being used for regular cron jobs All these can have problems if the home is fully encrypted while the user is not logged in. If these aspects are not a concern then there is no problem regardless of how the encryption is done. Full Disk Encryption can work, as the home directory is decrypted and available while machine is running, from boot. But it will be unencrypted while the machine is running, even while the user is not logged in or around. ------------------------------------------------------------------------------- SSH Public Keys... A general solution is to move the location of ssh publickeys out of the home. The "sshd" configuration allows you to specify where the keys are located. For example add something like this to "/etc/ssh/sshd.config"... AuthorizedKeysFile /etc/ssh/authorised_keys/%u Will let you place public identity of machines allowed to login in that directory under the users login name. Note this only lets them login, the home directory will still need to be mounted which means a password (from some source) will still be required. ------------------------------------------------------------------------------- More general... 1/ Encrypted and Unencrypted home directories.... One solution posted by Joe Pfeiffer in the EncFS mail list, is to have 3 directories. The EncFS home directory /home/enc/$USER A unencrypted files home /home/unenc/$USER And the actual working home /home/$USER When user logs in the EncFS home is overlayed onto the users working home. The working home and decrypted EncFS homes both contains symbolic links to the unencrypted files in the "unenc" home directory. This allows you to set up pam-mount scripts that auto-decrypt the users home on login using the users login password. However without some automation keeping the symbolic links to 'unenc' correct in BOTH normal home and the decrypted 'enc' overlay, can be a pain. Basically while the encrypted home is not mounted (user not logged in) the symbolic links into the unencrypted 'unenc' need to be updated. That is best done on logout to update any changes to the 'unenv' is remapped appropriatally. 2/ Copy files for unencrypted home out This is simular but rather than symbolic links it copies the files to be in the exact location, under the users home. # copy your .ssh folder mkdir /tmp/mine chmod 700 /tmp/mine mkdir /tmp/mine/.ssh chmod 700 /tmp/mine/.ssh cp ~/.ssh/authorized_keys /tmp/mine/.ssh/ cd /tmp/mine # unmount your encrypted home drive /sbin/umount.ecryptfs_private # copy your ssh folder to the place ssh will actually look for cp -r .ssh ~ # be sure to remove it again from /tmp rm /tmp/mine/ -rf This makes it harder to update as the 'unencrypted' home is not visible while the encrypted home is mounted. Also the data is now stored in multiple locations, so can lead to de-sync. It may not be easilly automated. -------------------------------------------------------------------------------