3

I'm not talking about full disk hardware encryption. I'm talking about software encryption.

encrypting /home prevents your data after your laptop is stolen. As far as I understand, encrypting / and /boot is supposed to protect against running malware that steals your passwords (Evil Abigail). But that can only work when there is a fully secure and signed boot process (UEFI, bootloader, kernel). And (at least currently) it's not the case. So what protection does it give?

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
piotrek
  • 269
  • 1
  • 8

1 Answers1

3

It prevents accidental leaks of private data that is copied around.

For example, if /tmp is on the / partition, files from your encrypted /home partition could be copied to the unencrypted /tmp, thereby making them accessible to an attacker.

By encrypting the entire system, you avoid this channel.

Simon Richter
  • 1,482
  • 11
  • 8
  • 1
    For the same reason the swap partition (if any) should also be encrypted. – billc.cn Jan 28 '16 at 13:51
  • but 'accidental leaks' is not a new vector attack that is prevented by that encryption. to rephrase question: what's the point of encrypting system binaries? – piotrek Jan 28 '16 at 21:14
  • An attacker reading your harddisk (e.g. at a checkpoint) would be able to tell whether you have services with known vulnerabilities installed, which could be exploited when you turn on the machine and open the encrypted `/home` container. – Simon Richter Jan 31 '16 at 15:10