windows - Is auto-logon on laptop with encrypted hard drive secure?
2014-07
Tobias Diez
I have the complete hdd of my laptop encrypted (with the Windows built-in Bitlocker) and thus have to login two times upon booting (Bitlocker and user account).
Since I'm the only person using the computer (and knowing the Bitlocker password), I was thinking about automatically login into the user account to make the boot process smoother and quicker. In which cases/scenarios is this a bad idea and the additional login gives a true additionally layer of security?
Kirk Logan
Local Windows accounts have never really been that secure in the first place. If someone is physically at your PC and is determined to nab your data, the Windows password is going to be the easiest step in that process to complete.
Windows password = deterrent for the average user.
I dont consider it a true additional layer of security in most scenarios.
All that being said, the choice is up to you, but youre better off thinking of the windows password as a deterrent than another true layer of security. IMO.
kaerast
What are my options for encrypting the /home directories of my Ubuntu laptops? They are currently setup without any encryption and some have /home as a separate partition whilst others don't. Most of these laptops are single-user standalone laptops which are out on the road a lot.
Is ecryptfs and the encrypted Private directory good enough or are there better, more secure, options? If somebody got hold of the laptop, how easy would it be for them to gain access to the encrypted files?
Similar questions for encrypted lvm, truecrypt and any other solution I may not be aware of.
kaerast
The options available are encrypting a Private directory within each user's home directory using ecryptfs, using Truecrypt or using luks and dm-crypt. Each of these have their benefits and drawbacks.
Using ecryptfs and a Private directory is easy to setup after system installation on a per-user basis but it's not enabled by default most of the time, it won't protect anything being written outside of that Private directory (including /tmp, /var and swap). One of the major drawbacks is that it does nothing to encrypt the filenames being used - so people who gain access can see the names of the files, just not what they contain. There is also some concern that if the same login and ecryptfs password is being used then the weak point is the login password which can be fairly quick to crack.
Truecrypt is cross-platform, meaning you can create encrypted partitions that are readable in both Linux and Windows. It also offers plausible deniability. However, it's not terribly easy to setup and use - the gui is pretty scary if you don't know what you're doing.
Luks and an encrypted lvm is the best way of ensuring everything is nicely encrypted. The main downside is you can't really go back and add it after installation and you need the server or advanced install cd in order to enable it. Given that 10.04 LTS is coming up in the next month or so, my preferred option is to wait a few months and then do clean installs of that with encrypted LVM partitions.
Fred
I've heard good things about truecrypt, and it does run on linux. Truecrypt even provides plausible deniability for devices and partitions other than file-hosted partitions. Truecrypt has been around a while, so I'd believe that it is pretty solid. I know you take backups, but make sure to secure the unencrypted backups!