[ale] Using eCryptFS to secure "at rest" data. How to mount at boot?

Jim Kinney jkinney at jimkinney.us
Tue Dec 9 18:21:12 EST 2014


On Tue, 2014-12-09 at 17:31 -0500, JD wrote:
> On 12/09/2014 03:20 PM, Raj Wurttemberg wrote:
> > I'm trying to find a way to use eCryptFS to secure the "at rest" data on a
> > server. 
> > 
> > I have ecryptfs installed and I understand how to encrypt a directory. What
> > I am missing, is how to mount the ecryptfs encrypted folder at boot (i.e.
> > fstab). 
> > 
> > I have been Googling for a few hours but everything I have found is how to
> > mount an encrypted home folder, which is not what I am looking to
> > accomplish.
> > 
> 
> Perhaps you want to create an encrypted partition and mount it?
> There are a few different ways to accomplish this depending on whether RAID
> and/or LVM are involved or not.  Additionally, if the entire OS is encrypted,
> things change slightly.  If boot is also encrypted, more changes.
> 
> Sadly, the steps are distro specific and some distros make it harder to add
> later than others.
> 
> For my limited needs, choosing encrypted installation during the install has
> been the easiest way.

+1 for just doing the encrypted filesystem from the distro. It satisfies
all the data encrypted at rest scenarios I've run against. Not that
performance in some things like Oracle will absolutely tank (factor or
10+ hit on speed) so using the Oracle specific table-space encryption is
far better. Performance cost on encrypted partition hosting postgreSQL
seems about on par with normal use of data in encrypted partition - a
hit but on the order of 1-2%. Maybe PG uses a better index layout that
works better in this case.

> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 




More information about the Ale mailing list