I hate to be trendy when it comes to security, but home directory encryption makes "Evil Maid"-type attacks much easier. If I have 5 minutes with your laptop, I can replace/backdoor any system binaries you rely on and give the device back to you. It's much safer to encrypt everything, even after you know that someone crazy like Joanna can come by and backdoor your MBR.
http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goe...
"The reality is, nobody is going to physically attack your laptop (just don't bring your work machine to Black Hat). But there is an unacceptably high probability that your laptop will get stolen; for instance, you will often leave it in your car, where anyone with a cinderblock can get it in under a minute.
[Encrypted home directories are] about the guy with the cinderblock, not about stopping Joanna Rutkowska from installing a keylogger."
Yes, evil maid is still possible. It does not however trump the basic use case: lost or stolen laptop. In those simple and common cases, the homedir data remains safe. For now, the hassle of a fully encrypted drive is greater than the benefit of protection from doing so, particularly when the MBR type attacks you mention don't remove the evil maid vulnerabilities.
The biggest gotcha that I see is restoring backups. According to the article, for that you need to have the actual long passphrase used internally, and not your regular password. So when you're in trouble you need to come up with a critical piece of information that you never use and probably don't know. That's going to bite more than a few people at a bad time.
RE the long passphrase: Need to write it down and put it in the safe deposit box at the bank. But not too many people do that (I don't think). I know I didn't do it. And now that you mention it, I can't remember my long passphrase. Crap.
Another gotcha would be that it would be difficult to rescue since the ubuntu livecd doesn't have that app by default and I don't know of any livecds that do
I saw that they used apt to install it, so I would imagine that it doesn't have it installed by default. Also not all livecds would have it so you would have to depend on the ubuntu livecd
Somehow this was enabled on my Jaunty install at work. Things I found out a couple of days ago (when I ran into probs):
* Ssh keys have caveats with this setup.
* You need to login at least once (locally,ssh,etc) because it needs your system password to mount the ecryptfs on your home directory. So you can still use the benefits of ssh keys if you need to login to the same machine with the same user account multiple times. You'll just need to use the system password the first time.
* If you only need to access something outside of your encrypted home, you can created a ~/.ssh directory in the unmounted home directory and cat your public key there. (Your login will have have an empty home directory unless you manually mount eCryptFS)
* Because the mounting can happen in a PAM module, this is leaps and bounds ahead of Apple (at least a couple of years ago). My experience with FileVault was that you needed to login through the GUI to get a mounted home directory. SSH logins were a no go (except for an empty home dir).
They compare this to OSX FileVault in the article, so I thought I'd share this: I've been explicitly told by an Apple-approved technician that they don't recommend FileVault. The process of dynamically resizing the encrypted partition on the fly leads to a higher number of filesystem errors, many of which are non-recoverable.
The eCryptfs layered file system approach also eliminates the need for a dedicated partition, sparse file, or preallocated disk space for the encrypted data. eCryptfs files are written to the administrator’s chosen underlying file system with the total disk capacity available. Since each encrypted file is written to disk as an atomic unit, users can perform per-file incremental encrypted backups to remote storage – something that is impractical and dangerous with block device encryption solutions.
On that tangent, if you're an OS X user and like myself you can't quite muster the faith to use FileVault for your home folder, Disk Utility (or hdiutil at the terminal prompt) will allow you to create encrypted disk images to stash your sensitive stuff in.
