SD expansion card security

I was wondering how secure the data will be on the 'removable' SD expansion card.

If the card is removed with data on it, would some other person be able to read the data in another card reader?

What precautions would you suggest? I'm using the Linux version.

 

you could try cryptainer LE, its a programme for portable drives but im still trying to work it out

 

It will not be secure unless you encrypt the data area.

Truecrypt ?

viewtopic.php?f=17&t=1629&p=10922&hilit=truecrypt#p10922

 

Thanks ..... thinking about data on the hard drive, with bios password and boot devices disabled, is my data reasonably secure on the acer one?

 

Not really. If someone gets their hands on the laptop they can either reset the BIOS or plug the HD into some other system. Encrypt your private files if you want them secure. Also, don't forget that "secure" ought include "backed up" - lots of people tend to forget that...

 

Unless you're careful to the point of paranoia, you have to assume that if your laptop falls into the hands of a villain, he _will_ be able to read your data. It's really as simple as that.

`Careful to the point of paranoia' means encrypting all the internal and external storage _at the filesystem level_. That is, you have to take steps to ensure that anything written on storage is encrypted, right there and then. Encrypting individual files is not sufficient, since many (most?) applications will leave plaintext temporary files hanging around. And you need to encrypt the swap partition too.

If you have only internal storage, a BIOS password will offer modest (but only modest) protection against casual intruders.

 

Isn't that a bit overkill? Decrypting eats CPU, and it's not like you'll have any private data in, say, /usr. You shouldn't be logged in as root and as such won't have write permissions to most parts of the system.

Encrypted swap makes sense - but not using swap at all makes even more sense imo . I've got the SSD-version tho.

Keep all your work in your home dir and encrypt that (or maybe just parts of it). That only leaves tmp-dirs, logs and possibly some other things in /var... Might want to encrypt some of that - or just mount it as tmpfs. Should be no need for temporary files to persist across boots. Logs might be good to have if the system crashes, but on a laptop I don't feel losing them on shutdown is that big a deal .

Oh, keep and eye on /root too - might leave some traces there when you sudo.

 

It really depends on how much trouble you are prepared to go to to ensure that you know exactly which bits of a filesystem can conceivably be written and which can not. In principle you have to worry about /tmp and /var even as a non-root user, swap (as I said, unless you turn it off), and any place you have write access to (unless you are 100% certain you know exactly where your apps store every bit of temporary data). A textbook example is the old standy `vim' text editor, which leaves a hidden temporary file in the same directory as the file it's editing. You can encrypt the document, but then forget the temporary file(s). And, of course, `vim' isn't the only app to do this kind of thing, by any means.

Encryption at the filesystem level is extremely slow and inefficient, but does at least mean that you aren't at the mercy of the app developers, when it comes ot leaving unencrypted work files laying about.

 

Looks like you missed the second part of my post. I didn't disagree with filesystem-encryption - only the idea of encrypting *all* filesystems.

Encrypting /home is a good idea (and tmp-dirs unless you mount them on tmpfs).
/var/log might make some sense (again, I'd rather go with tmpfs tho).

Your textbook example doesn't apply. While vim does use a .swp-file - and other editors often leave backup-files - they only do so in the directory if the file in question (by default). If /home is encrypted and you keep your files there you're safe. You could also disable this functionality. Other applications may cache data, but they will do so in your home dir (or possibly /tmp).

ofc, this isn't the entire truth, there may be some other directories in /var you need to worry about, so if you feel unsure you might want to encrypt all of that. I keep my mail on a mail server, so /var/mail doesn't worry me. I rarely print anything (especially not from a laptop) so I've not bothered looking into /var/spool/cups/...

Anyway, encrypting anything other than swap, /home, /tmp and (possibly) /var does still not make sense to me. An encrypted root-filesystem can be a pain. Wasting CPU on decrypting application binaries is a pointless.