On Mon, Mar 21, 2011 at 08:51:27PM -0700, Todd A. Jacobs wrote: > Generally, my advice is to use dm-crypt for block devices (like > encrypting an entire /home partition that root plans to mount at > bootup), and encfs for encrypting individual directories other than > $HOME. YMMV.
I've been using the dm-crypt approach for a while, but the limitations of it have encouraged me to plan a migration to ecryptfs. * If you mount via root/boot time, you must supply the passphrase at boot, which stops unattended/automated restarts or boot-ups. * as a user, you must supply at least two passphrases (dm-crypt, and login). You can solve the latter by moving to login-time mounting via libpam-mount. This generally works very well, but * fsck is totally invisible if you log in via an X display manager, so the occasional login will take 5-10 minutes longer than expected for a large filesystem * mounting is done serially, so if you have more than one encrypted filesystem (I have nearly a dozen, which is a mistake) login takes a long time very time With ecryptfs, I can have a file-level backup solution work on the backing files, not require an active login or mounted FS, and do replication to other nodes/sites without privacy concerns. -- Jon Dowland -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110322142243.gb12...@deckard.alcopop.org
