Paranoia

I usually keep an ssh session open to my server at home, so I can check in on e-mail and such during the day, and every once in a while the connection breaks and I can’t get back in. My mind instantly starts conjuring up scenarios in which my server is being stolen, or the apartment is burning to the ground, or hackers have locked me out of my own systems, but after quickly popping back home over lunch to check on it, it’s inevitably just a cable connection problem, hardware crash, or power outage (today’s culprit).

But what if my systems really had been stolen?

Besides the obvious material loss, there’s also the matter of the information contained on the systems. Anyone who nabs my XP box, for example, will instantly have access to a saved position where my team has a good crossfire set up for knocking off the Pinstripe mob boss in one level of Freedom Force…

Of slightly higher importance are the other records I keep on them. Receipts from online orders and my Quicken database, with secret financial information. Private contact information for people I know. Passwords recorded in text files, thanks to half the sites out there wanting you to set up a local account, and especially those for important sites like your online banking, Paypal, eBay, etc. Cached application information that may reveal other secret or embarrassing details about me. And other identifying information that could potentially be used to perpetrate fraud or identity theft.

So, what can you do to protect this information even when the machine itself is stolen? The obvious answer is cryptography; they may have the data, but it doesn’t do any good if they can’t read it. The real question is, how do you implement it?

Linux provides a nice solution in the form of the ‘crytoloop’ module, which lets you layer encryption on top of any arbitrary block device to create an encrypted block device, and then you can put a filesystem on top of that. If you don’t know the pass phrase, the loopback device will look like it contains random garbage and you thus can’t mount the filesystem and get at any of the data in it. There is a downside though, in that it can introduce a significant slowdown due to encryption being computationally heavy. Not only does it encrypt and decrypt your private data, but it does so for all the usual OS and application files too, slowing everything down.

Instead you could limit the scope of the encryption to just those areas that need it. Install the OS onto a plain old unencrypted filesystem, create a large file, attach it via the encrypted loopback, put a filesystem on it, and mount it as /home and now just your own data in your home directories will be encrypted. However, now the growth of your home directory is limited by however large you made that file; too small and you’ll run out of room in your home directory even though you have free space elsewhere, too large and you may run out of space for OS upgrades, new applications, and other data files. I, for example, keep all of my MP3s, videos, and pics outside of my home directory so I have no idea what a fair home/non-home ratio of space would be.

In this case the ability to selectively encrypt some sections within a filesystem would probably be best, but unfortunately that’s not available right now. Maybe in the future with Reiser4… (OS X has the File Vault in Panther, but I’m not sure into which of these categories it falls. I’ll have to tinker a bit.)

It’s not just the file data either, some private data will certainly be held in memory temporarily and will potentially be swapped to disk at some point, so even though your passwords are encrypted in the filesystem, it could still be present in plaintext in the swap file or partition. Again, you can make the swap area an encrypted block device, and in this case it’s even easy to use. Swap data isn’t persistent between boots anyway, so you can just randomly generate a key and reinitialize the swap area each time you boot without having to prompt the user. And again, there’s going to be a performance penalty, though hopefully you’re not going too heavily into swap to begin with…

But there’s not just physical theft to worry about, there’s also plain old intrusion by hackers. Having an encrypted block device doesn’t do any good if someone can hack into your user account and just read the data off of the live, mounted filesystem anyway, regardless of any lower level encryption. Perhaps instead we need a ‘wallet’ encrypted area, opened only when you directly need to access something in it and closed immediately after so that it’s not visible as live data all the time. But then you need to remember to keep truly private data specially separated from the rest, and it may not integrate cleanly into most programs. And since you’re opening it a lot more often, hackers could simply snoop your pass phrase.

So what if…oh hell, this could go on forever. In the end you simply have to weigh your paranoia about what you fear might happen to your data against how much effort you’re willing to put in to protect it, and figure out where on this scale of solutions you fit in. The worst-case scenario of how your life could be completely ruined has to be tempered against the fact that people are lazy and hardly anybody really cares about you and your data. There doesn’t appear to be any truly bulletproof solution, so just figure out where you best fit.

(Currently I’m keeping a separate ‘wallet’-like encrypted section, but I’m awful at leaving other ‘secret’ stuff scattered around the regular filesystem too, and leaving it mounted all the time, so I’m trying to think of a better solution, which helped prompt this article.)