Some encryption understanding

Upon install if you choose to apply encryption to the /home file system, all users on that system will need to have that pass-phrase in order to access their own directories.

When a user is added to the system and their account has the “Use Encrypted Home Directory” ticked under the details tab, it locks it down a size. The reason being it creates an username.img and username.key files int he /home directory and their /home is actually the img file. The encryption key is in the key file and is the same their user password.

In essence they get physical access to the default /home partition and thereby the default users data, all be it for the system file permissions, which would presumably block them that way.

In my mind this kind of defeats the point of the encryption in both scenarios. All users needing the pass-phrase is atrocious at best.

The presence of a key file allows easier access for a cracker to discover the seed used to create the key. Once the seed is discovered all the user keys would be vulnerable. Additionally, data recovery may be an issue. How often would a 1GB or larger file (the user.img) be able to pulled from a failing drive with success. I would rather be able to pull what I needed (especially since the last backup).

Some of you might be thinking it can take decades or even centuries to break this encryption. Problem is more basic than you realize: how many end users actually use good passwords?

A poor password, a dictionary brute force and you would not want to know how little time it could take to bring it all down.

All of this is a moot argument if you are a single user. Even in the watered-down Suse documentation the example is that of a laptop user. More than likely this is the actual situation the developers are looking at solving.

So why use encryption: possibly to archive data, protect sensitive data NOT located in user areas, if they know the pass-phrase it would accessible, etc.

An example application which may actually be of use:

You are a videographer, photographer, musician and you are working on a new project. You buy a shiny new terabyte drive mount it with the yast partitioner, encrypt it, then give your user ownership of it.

Your personal daily insensitive data resides in your /home/user the sensitive stuff is located in the /encrypted partition.

You could do this easier with nfs and network storage on a local file server I would think.

In any case this is not a conclusive post, just one I hope would help inform people looking at encryption for the first time.

I believe, file system encryption for end users is in its infancy at best and many more realistic situations would need to be considered before it would work in most every situation.

For now it appears to be best used on single user systems per the example provided in the docs.