Encrypted Lock Screens?











up vote
6
down vote

favorite












I really like the disk encryption to secure my funds, but my problem is I practically never have my computer off. I live a very busy life and shutting it down totally every night is entirely impractical, so at most I typically suspend/lock it. I have my suspicions that this lock screen does very little against an attacker that might have the computer in their hands. Am I right? Is having disk encryption pointless if I never turn off my computer? Is there any software that can enable lock-screen encryption?










share|improve this question


























    up vote
    6
    down vote

    favorite












    I really like the disk encryption to secure my funds, but my problem is I practically never have my computer off. I live a very busy life and shutting it down totally every night is entirely impractical, so at most I typically suspend/lock it. I have my suspicions that this lock screen does very little against an attacker that might have the computer in their hands. Am I right? Is having disk encryption pointless if I never turn off my computer? Is there any software that can enable lock-screen encryption?










    share|improve this question
























      up vote
      6
      down vote

      favorite









      up vote
      6
      down vote

      favorite











      I really like the disk encryption to secure my funds, but my problem is I practically never have my computer off. I live a very busy life and shutting it down totally every night is entirely impractical, so at most I typically suspend/lock it. I have my suspicions that this lock screen does very little against an attacker that might have the computer in their hands. Am I right? Is having disk encryption pointless if I never turn off my computer? Is there any software that can enable lock-screen encryption?










      share|improve this question













      I really like the disk encryption to secure my funds, but my problem is I practically never have my computer off. I live a very busy life and shutting it down totally every night is entirely impractical, so at most I typically suspend/lock it. I have my suspicions that this lock screen does very little against an attacker that might have the computer in their hands. Am I right? Is having disk encryption pointless if I never turn off my computer? Is there any software that can enable lock-screen encryption?







      security encryption






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Mar 27 '14 at 5:59









      user262494

      311




      311






















          4 Answers
          4






          active

          oldest

          votes

















          up vote
          1
          down vote













          I thought the same thing, which is how I found your question.



          But then I realized, programs cannot really keep running if all the data (including their own code) is suddenly encrypted. And data might be in RAM anyway if programs are running.



          So the only way to encrypt things is if all programs stop running, which doesn't happen when locking.






          share|improve this answer




























            up vote
            0
            down vote













            Full disk encryption is a great security measure, but it is seen as a ways of preventing physical access to the machine's data. Before disk encryption, physical access to a HDD was all it took to gain access to data. When you are able to take out the HDD, you can use any other system to look at the data, so you can't think of it as secure just because someone doesn't know your root password.



            It is completely possible to have an encrypted system that has suspend-to-disk support. This, in combination of ensuring that your RAM and any swap is kept secure, is an imperfect method to keep you safer in your situation.



            Once you've helped to secure against physical threats, you have to then take a look at how the system itself is vulnerable. By connecting your machine to the Internet, you are exposing it to potential problems. If you're serious enough, you should consider using an encrypted, 'cold-storage' system, where you limit the connectivity, or only interact via thumb drive or serial port.



            Other options are to add additional layers of encryption to your data, and only keep that data unlocked while it's in use. The point is to take advantage of keeping the data encrypted as long as possible, and only decrypt when needed, and not to suggest excessive use of multiple/cascade encryption. This would mean that any adversary having access to the system would need to take time to decrypt the data. Unless, of course, you leave the data unlocked, or leave they key somewhere accessible. Additionally, there are many ways to hide data in data, and utilize one-time pads, to better secure information.



            Even by encrypting and not leaving the keys available for individual datasets, someone with enough time and access could eventually unlock the data. For something such as passwords, this can be mitigated by changing the passwords frequently, and re-encrypting the dataset with a new key at that time. For something that needs to be kept secret over a longer period of time, and you have a physically secure location, a simple solution may be to store encrypted data on a thumb drive that you only connected to the machine when needed, and then place the drive in a safe.



            Certificate Authorities who provide proper key storage provide good examples of how to secure data in situations that require a mixture of security and practicality of use.






            share|improve this answer






























              up vote
              0
              down vote













              Let me answer the question first and then propose an option for encryption at the lock screen.



              You are correct in saying that your data is not encrypted when the lock screen is visible. If you're using full-disk encryption (FDE), your data is decrypted at boot time before the login screen is shown and remains decrypted until the system is powered down. If you, like the OP, used home directory encryption, your data is decrypted when you log into your account and remains encrypted until you log out of your account which can happen during logoff or shutdown. The fact that your data is decrypted when you are logged in does not make encryption pointless. If someone gains physical access to your computer, the only way around your login screen is to enter your current password, or reboot the system and modify some files. If they reboot, your system (FDE) or user files (home directory encryption) will be in an encrypted state, offering you protection from disclosure. There is no backdoor that I am aware of that would allow someone sitting at your keyboard to bypass the lockscreen unless they already had some form of remote control.



              Now, in the event that your system has been compromised and a backdoor has been created providing an attacker remote access, your system will be vulnerable any time your system or files are decrypted. No amount of encryption will help you in this case. Your only solutions to protect your files are to 1) take them and the system offline, and 2) remove the malware.



              A lock screen encryption option:

              If you would like to be able to encrypt your files whenever you lock your screen, you are still not without options. You could create an encrypted file container, keep your sensitive files in that container. Then you can either manually lock the file container before locking your screen or write a simple script that would lock the file container and then lock the screen. In this way, your files could be encrypted even while your system is in a running state. All you would need to do is decrypt the file container when you want to use it.

              This can all be accomplished with VeraCrypt, or if you, like I, would prefer to use LUKS...



              #-------------------- Setup --------------------#
              dd of=~/encrypted-fc count=0 seek=1 bs=1G # bs should reflect maximum desired
              # container size. This command creates
              # a sparse file that will grow
              sudo cryptsetup luksFormat ~/encrypted-fc # set up file container encryption
              sudo cryptsetup luksOpen ~/encrypted-fc enc-fc # decrypt the file container
              sudo mkfs.ext4 /dev/mapper/enc-fc # create a file system in the container
              sudo cryptsetup luksClose enc-fc # lock (encrypt) the file container

              #--------------------- Usage ---------------------#
              sudo cryptsetup luksOpen ~/encrypted-fc enc-fc # decrypt the file container
              sudo mount /dev/mapper/enc-fc /your/mount/point # mount decrypted container

              sudo umount /dev/mapper/enc-fc # umount decrypted container
              sudo cryptsetup luksClose enc-fc # lock (encrypt) the file container





              share|improve this answer






























                up vote
                -1
                down vote













                I'm pretty sure it is pointless to have disk encryption if you never turn the computer off. I could be wrong though.



                But if you never turn it off, it will never boot to the screen that unencrypts your hard drive. So it is pretty much always unencrypted.



                Do you have a /home partition that is encrypted? If so, if someone were to steal it, they would not have access to all the files in your user account, so therefore, if it requires your user password, it would be safe.



                So in short, if just your hard disk is encrypted, yes it is pointless. If you have a separate /home partition, you should be ok if that is encrypted because they cannot access those files.






                share|improve this answer

















                • 1




                  I do indeed have my /home partition encrypted. My concern was if someone had my computer and it was at lock screen, could they not use some simple exploit to get around the password? Encrypted home folder wouldn't matter in that case, would it?
                  – user262494
                  Mar 27 '14 at 6:42













                Your Answer








                StackExchange.ready(function() {
                var channelOptions = {
                tags: "".split(" "),
                id: "89"
                };
                initTagRenderer("".split(" "), "".split(" "), channelOptions);

                StackExchange.using("externalEditor", function() {
                // Have to fire editor after snippets, if snippets enabled
                if (StackExchange.settings.snippets.snippetsEnabled) {
                StackExchange.using("snippets", function() {
                createEditor();
                });
                }
                else {
                createEditor();
                }
                });

                function createEditor() {
                StackExchange.prepareEditor({
                heartbeatType: 'answer',
                convertImagesToLinks: true,
                noModals: true,
                showLowRepImageUploadWarning: true,
                reputationToPostImages: 10,
                bindNavPrevention: true,
                postfix: "",
                imageUploader: {
                brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
                contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
                allowUrls: true
                },
                onDemand: true,
                discardSelector: ".discard-answer"
                ,immediatelyShowMarkdownHelp:true
                });


                }
                });














                 

                draft saved


                draft discarded


















                StackExchange.ready(
                function () {
                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f439782%2fencrypted-lock-screens%23new-answer', 'question_page');
                }
                );

                Post as a guest















                Required, but never shown

























                4 Answers
                4






                active

                oldest

                votes








                4 Answers
                4






                active

                oldest

                votes









                active

                oldest

                votes






                active

                oldest

                votes








                up vote
                1
                down vote













                I thought the same thing, which is how I found your question.



                But then I realized, programs cannot really keep running if all the data (including their own code) is suddenly encrypted. And data might be in RAM anyway if programs are running.



                So the only way to encrypt things is if all programs stop running, which doesn't happen when locking.






                share|improve this answer

























                  up vote
                  1
                  down vote













                  I thought the same thing, which is how I found your question.



                  But then I realized, programs cannot really keep running if all the data (including their own code) is suddenly encrypted. And data might be in RAM anyway if programs are running.



                  So the only way to encrypt things is if all programs stop running, which doesn't happen when locking.






                  share|improve this answer























                    up vote
                    1
                    down vote










                    up vote
                    1
                    down vote









                    I thought the same thing, which is how I found your question.



                    But then I realized, programs cannot really keep running if all the data (including their own code) is suddenly encrypted. And data might be in RAM anyway if programs are running.



                    So the only way to encrypt things is if all programs stop running, which doesn't happen when locking.






                    share|improve this answer












                    I thought the same thing, which is how I found your question.



                    But then I realized, programs cannot really keep running if all the data (including their own code) is suddenly encrypted. And data might be in RAM anyway if programs are running.



                    So the only way to encrypt things is if all programs stop running, which doesn't happen when locking.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Jun 10 '17 at 9:04









                    Mark

                    20618




                    20618
























                        up vote
                        0
                        down vote













                        Full disk encryption is a great security measure, but it is seen as a ways of preventing physical access to the machine's data. Before disk encryption, physical access to a HDD was all it took to gain access to data. When you are able to take out the HDD, you can use any other system to look at the data, so you can't think of it as secure just because someone doesn't know your root password.



                        It is completely possible to have an encrypted system that has suspend-to-disk support. This, in combination of ensuring that your RAM and any swap is kept secure, is an imperfect method to keep you safer in your situation.



                        Once you've helped to secure against physical threats, you have to then take a look at how the system itself is vulnerable. By connecting your machine to the Internet, you are exposing it to potential problems. If you're serious enough, you should consider using an encrypted, 'cold-storage' system, where you limit the connectivity, or only interact via thumb drive or serial port.



                        Other options are to add additional layers of encryption to your data, and only keep that data unlocked while it's in use. The point is to take advantage of keeping the data encrypted as long as possible, and only decrypt when needed, and not to suggest excessive use of multiple/cascade encryption. This would mean that any adversary having access to the system would need to take time to decrypt the data. Unless, of course, you leave the data unlocked, or leave they key somewhere accessible. Additionally, there are many ways to hide data in data, and utilize one-time pads, to better secure information.



                        Even by encrypting and not leaving the keys available for individual datasets, someone with enough time and access could eventually unlock the data. For something such as passwords, this can be mitigated by changing the passwords frequently, and re-encrypting the dataset with a new key at that time. For something that needs to be kept secret over a longer period of time, and you have a physically secure location, a simple solution may be to store encrypted data on a thumb drive that you only connected to the machine when needed, and then place the drive in a safe.



                        Certificate Authorities who provide proper key storage provide good examples of how to secure data in situations that require a mixture of security and practicality of use.






                        share|improve this answer



























                          up vote
                          0
                          down vote













                          Full disk encryption is a great security measure, but it is seen as a ways of preventing physical access to the machine's data. Before disk encryption, physical access to a HDD was all it took to gain access to data. When you are able to take out the HDD, you can use any other system to look at the data, so you can't think of it as secure just because someone doesn't know your root password.



                          It is completely possible to have an encrypted system that has suspend-to-disk support. This, in combination of ensuring that your RAM and any swap is kept secure, is an imperfect method to keep you safer in your situation.



                          Once you've helped to secure against physical threats, you have to then take a look at how the system itself is vulnerable. By connecting your machine to the Internet, you are exposing it to potential problems. If you're serious enough, you should consider using an encrypted, 'cold-storage' system, where you limit the connectivity, or only interact via thumb drive or serial port.



                          Other options are to add additional layers of encryption to your data, and only keep that data unlocked while it's in use. The point is to take advantage of keeping the data encrypted as long as possible, and only decrypt when needed, and not to suggest excessive use of multiple/cascade encryption. This would mean that any adversary having access to the system would need to take time to decrypt the data. Unless, of course, you leave the data unlocked, or leave they key somewhere accessible. Additionally, there are many ways to hide data in data, and utilize one-time pads, to better secure information.



                          Even by encrypting and not leaving the keys available for individual datasets, someone with enough time and access could eventually unlock the data. For something such as passwords, this can be mitigated by changing the passwords frequently, and re-encrypting the dataset with a new key at that time. For something that needs to be kept secret over a longer period of time, and you have a physically secure location, a simple solution may be to store encrypted data on a thumb drive that you only connected to the machine when needed, and then place the drive in a safe.



                          Certificate Authorities who provide proper key storage provide good examples of how to secure data in situations that require a mixture of security and practicality of use.






                          share|improve this answer

























                            up vote
                            0
                            down vote










                            up vote
                            0
                            down vote









                            Full disk encryption is a great security measure, but it is seen as a ways of preventing physical access to the machine's data. Before disk encryption, physical access to a HDD was all it took to gain access to data. When you are able to take out the HDD, you can use any other system to look at the data, so you can't think of it as secure just because someone doesn't know your root password.



                            It is completely possible to have an encrypted system that has suspend-to-disk support. This, in combination of ensuring that your RAM and any swap is kept secure, is an imperfect method to keep you safer in your situation.



                            Once you've helped to secure against physical threats, you have to then take a look at how the system itself is vulnerable. By connecting your machine to the Internet, you are exposing it to potential problems. If you're serious enough, you should consider using an encrypted, 'cold-storage' system, where you limit the connectivity, or only interact via thumb drive or serial port.



                            Other options are to add additional layers of encryption to your data, and only keep that data unlocked while it's in use. The point is to take advantage of keeping the data encrypted as long as possible, and only decrypt when needed, and not to suggest excessive use of multiple/cascade encryption. This would mean that any adversary having access to the system would need to take time to decrypt the data. Unless, of course, you leave the data unlocked, or leave they key somewhere accessible. Additionally, there are many ways to hide data in data, and utilize one-time pads, to better secure information.



                            Even by encrypting and not leaving the keys available for individual datasets, someone with enough time and access could eventually unlock the data. For something such as passwords, this can be mitigated by changing the passwords frequently, and re-encrypting the dataset with a new key at that time. For something that needs to be kept secret over a longer period of time, and you have a physically secure location, a simple solution may be to store encrypted data on a thumb drive that you only connected to the machine when needed, and then place the drive in a safe.



                            Certificate Authorities who provide proper key storage provide good examples of how to secure data in situations that require a mixture of security and practicality of use.






                            share|improve this answer














                            Full disk encryption is a great security measure, but it is seen as a ways of preventing physical access to the machine's data. Before disk encryption, physical access to a HDD was all it took to gain access to data. When you are able to take out the HDD, you can use any other system to look at the data, so you can't think of it as secure just because someone doesn't know your root password.



                            It is completely possible to have an encrypted system that has suspend-to-disk support. This, in combination of ensuring that your RAM and any swap is kept secure, is an imperfect method to keep you safer in your situation.



                            Once you've helped to secure against physical threats, you have to then take a look at how the system itself is vulnerable. By connecting your machine to the Internet, you are exposing it to potential problems. If you're serious enough, you should consider using an encrypted, 'cold-storage' system, where you limit the connectivity, or only interact via thumb drive or serial port.



                            Other options are to add additional layers of encryption to your data, and only keep that data unlocked while it's in use. The point is to take advantage of keeping the data encrypted as long as possible, and only decrypt when needed, and not to suggest excessive use of multiple/cascade encryption. This would mean that any adversary having access to the system would need to take time to decrypt the data. Unless, of course, you leave the data unlocked, or leave they key somewhere accessible. Additionally, there are many ways to hide data in data, and utilize one-time pads, to better secure information.



                            Even by encrypting and not leaving the keys available for individual datasets, someone with enough time and access could eventually unlock the data. For something such as passwords, this can be mitigated by changing the passwords frequently, and re-encrypting the dataset with a new key at that time. For something that needs to be kept secret over a longer period of time, and you have a physically secure location, a simple solution may be to store encrypted data on a thumb drive that you only connected to the machine when needed, and then place the drive in a safe.



                            Certificate Authorities who provide proper key storage provide good examples of how to secure data in situations that require a mixture of security and practicality of use.







                            share|improve this answer














                            share|improve this answer



                            share|improve this answer








                            edited May 12 at 18:42

























                            answered May 12 at 18:36









                            earthmeLon

                            6,1461648




                            6,1461648






















                                up vote
                                0
                                down vote













                                Let me answer the question first and then propose an option for encryption at the lock screen.



                                You are correct in saying that your data is not encrypted when the lock screen is visible. If you're using full-disk encryption (FDE), your data is decrypted at boot time before the login screen is shown and remains decrypted until the system is powered down. If you, like the OP, used home directory encryption, your data is decrypted when you log into your account and remains encrypted until you log out of your account which can happen during logoff or shutdown. The fact that your data is decrypted when you are logged in does not make encryption pointless. If someone gains physical access to your computer, the only way around your login screen is to enter your current password, or reboot the system and modify some files. If they reboot, your system (FDE) or user files (home directory encryption) will be in an encrypted state, offering you protection from disclosure. There is no backdoor that I am aware of that would allow someone sitting at your keyboard to bypass the lockscreen unless they already had some form of remote control.



                                Now, in the event that your system has been compromised and a backdoor has been created providing an attacker remote access, your system will be vulnerable any time your system or files are decrypted. No amount of encryption will help you in this case. Your only solutions to protect your files are to 1) take them and the system offline, and 2) remove the malware.



                                A lock screen encryption option:

                                If you would like to be able to encrypt your files whenever you lock your screen, you are still not without options. You could create an encrypted file container, keep your sensitive files in that container. Then you can either manually lock the file container before locking your screen or write a simple script that would lock the file container and then lock the screen. In this way, your files could be encrypted even while your system is in a running state. All you would need to do is decrypt the file container when you want to use it.

                                This can all be accomplished with VeraCrypt, or if you, like I, would prefer to use LUKS...



                                #-------------------- Setup --------------------#
                                dd of=~/encrypted-fc count=0 seek=1 bs=1G # bs should reflect maximum desired
                                # container size. This command creates
                                # a sparse file that will grow
                                sudo cryptsetup luksFormat ~/encrypted-fc # set up file container encryption
                                sudo cryptsetup luksOpen ~/encrypted-fc enc-fc # decrypt the file container
                                sudo mkfs.ext4 /dev/mapper/enc-fc # create a file system in the container
                                sudo cryptsetup luksClose enc-fc # lock (encrypt) the file container

                                #--------------------- Usage ---------------------#
                                sudo cryptsetup luksOpen ~/encrypted-fc enc-fc # decrypt the file container
                                sudo mount /dev/mapper/enc-fc /your/mount/point # mount decrypted container

                                sudo umount /dev/mapper/enc-fc # umount decrypted container
                                sudo cryptsetup luksClose enc-fc # lock (encrypt) the file container





                                share|improve this answer



























                                  up vote
                                  0
                                  down vote













                                  Let me answer the question first and then propose an option for encryption at the lock screen.



                                  You are correct in saying that your data is not encrypted when the lock screen is visible. If you're using full-disk encryption (FDE), your data is decrypted at boot time before the login screen is shown and remains decrypted until the system is powered down. If you, like the OP, used home directory encryption, your data is decrypted when you log into your account and remains encrypted until you log out of your account which can happen during logoff or shutdown. The fact that your data is decrypted when you are logged in does not make encryption pointless. If someone gains physical access to your computer, the only way around your login screen is to enter your current password, or reboot the system and modify some files. If they reboot, your system (FDE) or user files (home directory encryption) will be in an encrypted state, offering you protection from disclosure. There is no backdoor that I am aware of that would allow someone sitting at your keyboard to bypass the lockscreen unless they already had some form of remote control.



                                  Now, in the event that your system has been compromised and a backdoor has been created providing an attacker remote access, your system will be vulnerable any time your system or files are decrypted. No amount of encryption will help you in this case. Your only solutions to protect your files are to 1) take them and the system offline, and 2) remove the malware.



                                  A lock screen encryption option:

                                  If you would like to be able to encrypt your files whenever you lock your screen, you are still not without options. You could create an encrypted file container, keep your sensitive files in that container. Then you can either manually lock the file container before locking your screen or write a simple script that would lock the file container and then lock the screen. In this way, your files could be encrypted even while your system is in a running state. All you would need to do is decrypt the file container when you want to use it.

                                  This can all be accomplished with VeraCrypt, or if you, like I, would prefer to use LUKS...



                                  #-------------------- Setup --------------------#
                                  dd of=~/encrypted-fc count=0 seek=1 bs=1G # bs should reflect maximum desired
                                  # container size. This command creates
                                  # a sparse file that will grow
                                  sudo cryptsetup luksFormat ~/encrypted-fc # set up file container encryption
                                  sudo cryptsetup luksOpen ~/encrypted-fc enc-fc # decrypt the file container
                                  sudo mkfs.ext4 /dev/mapper/enc-fc # create a file system in the container
                                  sudo cryptsetup luksClose enc-fc # lock (encrypt) the file container

                                  #--------------------- Usage ---------------------#
                                  sudo cryptsetup luksOpen ~/encrypted-fc enc-fc # decrypt the file container
                                  sudo mount /dev/mapper/enc-fc /your/mount/point # mount decrypted container

                                  sudo umount /dev/mapper/enc-fc # umount decrypted container
                                  sudo cryptsetup luksClose enc-fc # lock (encrypt) the file container





                                  share|improve this answer

























                                    up vote
                                    0
                                    down vote










                                    up vote
                                    0
                                    down vote









                                    Let me answer the question first and then propose an option for encryption at the lock screen.



                                    You are correct in saying that your data is not encrypted when the lock screen is visible. If you're using full-disk encryption (FDE), your data is decrypted at boot time before the login screen is shown and remains decrypted until the system is powered down. If you, like the OP, used home directory encryption, your data is decrypted when you log into your account and remains encrypted until you log out of your account which can happen during logoff or shutdown. The fact that your data is decrypted when you are logged in does not make encryption pointless. If someone gains physical access to your computer, the only way around your login screen is to enter your current password, or reboot the system and modify some files. If they reboot, your system (FDE) or user files (home directory encryption) will be in an encrypted state, offering you protection from disclosure. There is no backdoor that I am aware of that would allow someone sitting at your keyboard to bypass the lockscreen unless they already had some form of remote control.



                                    Now, in the event that your system has been compromised and a backdoor has been created providing an attacker remote access, your system will be vulnerable any time your system or files are decrypted. No amount of encryption will help you in this case. Your only solutions to protect your files are to 1) take them and the system offline, and 2) remove the malware.



                                    A lock screen encryption option:

                                    If you would like to be able to encrypt your files whenever you lock your screen, you are still not without options. You could create an encrypted file container, keep your sensitive files in that container. Then you can either manually lock the file container before locking your screen or write a simple script that would lock the file container and then lock the screen. In this way, your files could be encrypted even while your system is in a running state. All you would need to do is decrypt the file container when you want to use it.

                                    This can all be accomplished with VeraCrypt, or if you, like I, would prefer to use LUKS...



                                    #-------------------- Setup --------------------#
                                    dd of=~/encrypted-fc count=0 seek=1 bs=1G # bs should reflect maximum desired
                                    # container size. This command creates
                                    # a sparse file that will grow
                                    sudo cryptsetup luksFormat ~/encrypted-fc # set up file container encryption
                                    sudo cryptsetup luksOpen ~/encrypted-fc enc-fc # decrypt the file container
                                    sudo mkfs.ext4 /dev/mapper/enc-fc # create a file system in the container
                                    sudo cryptsetup luksClose enc-fc # lock (encrypt) the file container

                                    #--------------------- Usage ---------------------#
                                    sudo cryptsetup luksOpen ~/encrypted-fc enc-fc # decrypt the file container
                                    sudo mount /dev/mapper/enc-fc /your/mount/point # mount decrypted container

                                    sudo umount /dev/mapper/enc-fc # umount decrypted container
                                    sudo cryptsetup luksClose enc-fc # lock (encrypt) the file container





                                    share|improve this answer














                                    Let me answer the question first and then propose an option for encryption at the lock screen.



                                    You are correct in saying that your data is not encrypted when the lock screen is visible. If you're using full-disk encryption (FDE), your data is decrypted at boot time before the login screen is shown and remains decrypted until the system is powered down. If you, like the OP, used home directory encryption, your data is decrypted when you log into your account and remains encrypted until you log out of your account which can happen during logoff or shutdown. The fact that your data is decrypted when you are logged in does not make encryption pointless. If someone gains physical access to your computer, the only way around your login screen is to enter your current password, or reboot the system and modify some files. If they reboot, your system (FDE) or user files (home directory encryption) will be in an encrypted state, offering you protection from disclosure. There is no backdoor that I am aware of that would allow someone sitting at your keyboard to bypass the lockscreen unless they already had some form of remote control.



                                    Now, in the event that your system has been compromised and a backdoor has been created providing an attacker remote access, your system will be vulnerable any time your system or files are decrypted. No amount of encryption will help you in this case. Your only solutions to protect your files are to 1) take them and the system offline, and 2) remove the malware.



                                    A lock screen encryption option:

                                    If you would like to be able to encrypt your files whenever you lock your screen, you are still not without options. You could create an encrypted file container, keep your sensitive files in that container. Then you can either manually lock the file container before locking your screen or write a simple script that would lock the file container and then lock the screen. In this way, your files could be encrypted even while your system is in a running state. All you would need to do is decrypt the file container when you want to use it.

                                    This can all be accomplished with VeraCrypt, or if you, like I, would prefer to use LUKS...



                                    #-------------------- Setup --------------------#
                                    dd of=~/encrypted-fc count=0 seek=1 bs=1G # bs should reflect maximum desired
                                    # container size. This command creates
                                    # a sparse file that will grow
                                    sudo cryptsetup luksFormat ~/encrypted-fc # set up file container encryption
                                    sudo cryptsetup luksOpen ~/encrypted-fc enc-fc # decrypt the file container
                                    sudo mkfs.ext4 /dev/mapper/enc-fc # create a file system in the container
                                    sudo cryptsetup luksClose enc-fc # lock (encrypt) the file container

                                    #--------------------- Usage ---------------------#
                                    sudo cryptsetup luksOpen ~/encrypted-fc enc-fc # decrypt the file container
                                    sudo mount /dev/mapper/enc-fc /your/mount/point # mount decrypted container

                                    sudo umount /dev/mapper/enc-fc # umount decrypted container
                                    sudo cryptsetup luksClose enc-fc # lock (encrypt) the file container






                                    share|improve this answer














                                    share|improve this answer



                                    share|improve this answer








                                    edited Nov 22 at 0:18

























                                    answered Nov 21 at 9:14









                                    b_laoshi

                                    2,472927




                                    2,472927






















                                        up vote
                                        -1
                                        down vote













                                        I'm pretty sure it is pointless to have disk encryption if you never turn the computer off. I could be wrong though.



                                        But if you never turn it off, it will never boot to the screen that unencrypts your hard drive. So it is pretty much always unencrypted.



                                        Do you have a /home partition that is encrypted? If so, if someone were to steal it, they would not have access to all the files in your user account, so therefore, if it requires your user password, it would be safe.



                                        So in short, if just your hard disk is encrypted, yes it is pointless. If you have a separate /home partition, you should be ok if that is encrypted because they cannot access those files.






                                        share|improve this answer

















                                        • 1




                                          I do indeed have my /home partition encrypted. My concern was if someone had my computer and it was at lock screen, could they not use some simple exploit to get around the password? Encrypted home folder wouldn't matter in that case, would it?
                                          – user262494
                                          Mar 27 '14 at 6:42

















                                        up vote
                                        -1
                                        down vote













                                        I'm pretty sure it is pointless to have disk encryption if you never turn the computer off. I could be wrong though.



                                        But if you never turn it off, it will never boot to the screen that unencrypts your hard drive. So it is pretty much always unencrypted.



                                        Do you have a /home partition that is encrypted? If so, if someone were to steal it, they would not have access to all the files in your user account, so therefore, if it requires your user password, it would be safe.



                                        So in short, if just your hard disk is encrypted, yes it is pointless. If you have a separate /home partition, you should be ok if that is encrypted because they cannot access those files.






                                        share|improve this answer

















                                        • 1




                                          I do indeed have my /home partition encrypted. My concern was if someone had my computer and it was at lock screen, could they not use some simple exploit to get around the password? Encrypted home folder wouldn't matter in that case, would it?
                                          – user262494
                                          Mar 27 '14 at 6:42















                                        up vote
                                        -1
                                        down vote










                                        up vote
                                        -1
                                        down vote









                                        I'm pretty sure it is pointless to have disk encryption if you never turn the computer off. I could be wrong though.



                                        But if you never turn it off, it will never boot to the screen that unencrypts your hard drive. So it is pretty much always unencrypted.



                                        Do you have a /home partition that is encrypted? If so, if someone were to steal it, they would not have access to all the files in your user account, so therefore, if it requires your user password, it would be safe.



                                        So in short, if just your hard disk is encrypted, yes it is pointless. If you have a separate /home partition, you should be ok if that is encrypted because they cannot access those files.






                                        share|improve this answer












                                        I'm pretty sure it is pointless to have disk encryption if you never turn the computer off. I could be wrong though.



                                        But if you never turn it off, it will never boot to the screen that unencrypts your hard drive. So it is pretty much always unencrypted.



                                        Do you have a /home partition that is encrypted? If so, if someone were to steal it, they would not have access to all the files in your user account, so therefore, if it requires your user password, it would be safe.



                                        So in short, if just your hard disk is encrypted, yes it is pointless. If you have a separate /home partition, you should be ok if that is encrypted because they cannot access those files.







                                        share|improve this answer












                                        share|improve this answer



                                        share|improve this answer










                                        answered Mar 27 '14 at 6:32









                                        user262499

                                        1




                                        1








                                        • 1




                                          I do indeed have my /home partition encrypted. My concern was if someone had my computer and it was at lock screen, could they not use some simple exploit to get around the password? Encrypted home folder wouldn't matter in that case, would it?
                                          – user262494
                                          Mar 27 '14 at 6:42
















                                        • 1




                                          I do indeed have my /home partition encrypted. My concern was if someone had my computer and it was at lock screen, could they not use some simple exploit to get around the password? Encrypted home folder wouldn't matter in that case, would it?
                                          – user262494
                                          Mar 27 '14 at 6:42










                                        1




                                        1




                                        I do indeed have my /home partition encrypted. My concern was if someone had my computer and it was at lock screen, could they not use some simple exploit to get around the password? Encrypted home folder wouldn't matter in that case, would it?
                                        – user262494
                                        Mar 27 '14 at 6:42






                                        I do indeed have my /home partition encrypted. My concern was if someone had my computer and it was at lock screen, could they not use some simple exploit to get around the password? Encrypted home folder wouldn't matter in that case, would it?
                                        – user262494
                                        Mar 27 '14 at 6:42




















                                         

                                        draft saved


                                        draft discarded



















































                                         


                                        draft saved


                                        draft discarded














                                        StackExchange.ready(
                                        function () {
                                        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f439782%2fencrypted-lock-screens%23new-answer', 'question_page');
                                        }
                                        );

                                        Post as a guest















                                        Required, but never shown





















































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown

































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown







                                        Popular posts from this blog

                                        Ellipse (mathématiques)

                                        Quarter-circle Tiles

                                        Mont Emei