[opensuse] Encrypting all partitions or just Root
My new laptop (HP/Compaq nw9440) runs SUSE 10.2 exclusively. I do have vmware and cxoffice for wintendo apps but no specific partition. My only partitions are root, home and swap. My company has a new policy coming into effect, requiring all mobile devices have encryption built in. Though not entirely defined yet, I thought I'd get a jump on the process and encrypt my laptop. Good idea to do so, because I have source code, internal documents and whatnot there. I googled and found two articles on encryption, one of which is SUSE specific. http://www.linuxjournal.com/article/7743 http://en.opensuse.org/Encrypted_Root_File_System_with_SUSE_HOWTO Both of them seem to point to creating the partition as encrypted. In fact, the opensuse article discusses creating several partitions then moving stuff to the encrypted one. :P As I have my lapppie already built up and stuffed with important software (TuxCart, Amarok, Kaffeine, Ardour, iLives) and entertainment software (Netbeans, Visio, VMWare/XP) I don't want to re format if not necessary. Any way I can go about encrypting without destrying the partitions? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 6/6/07, Kai Ponte
My new laptop (HP/Compaq nw9440) runs SUSE 10.2 exclusively. I do have vmware and cxoffice for wintendo apps but no specific partition. My only partitions are root, home and swap.
My company has a new policy coming into effect, requiring all mobile devices have encryption built in. Though not entirely defined yet, I thought I'd get a jump on the process and encrypt my laptop. Good idea to do so, because I have source code, internal documents and whatnot there.
I googled and found two articles on encryption, one of which is SUSE specific.
http://www.linuxjournal.com/article/7743
http://en.opensuse.org/Encrypted_Root_File_System_with_SUSE_HOWTO
Both of them seem to point to creating the partition as encrypted. In fact, the opensuse article discusses creating several partitions then moving stuff to the encrypted one. :P
As I have my lapppie already built up and stuffed with important software (TuxCart, Amarok, Kaffeine, Ardour, iLives) and entertainment software (Netbeans, Visio, VMWare/XP) I don't want to re format if not necessary.
Any way I can go about encrypting without destrying the partitions?
As long as you have empty space on one you can try resizing it and creating a new encrypted partition with the partition tool. I usually encrypt home at install. If you cannot resize I think you maybe able to create an encrypted file and mounted using some loop mechanism I cannot remember exactly. Check this out: http://tldp.org/HOWTO/html_single/Cryptoloop-HOWTO/ HTH George
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2007-06-06 at 15:47 -0400, George Stoianov wrote:
If you cannot resize I think you maybe able to create an encrypted file and mounted using some loop mechanism I cannot remember exactly.
That part is easy; for instance, in fstab: cryptofile mountpoint filesystemtype loop,encryption=twofish256 1 2 - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGZ00ptTMYHG2NR9URAusdAJ9kAzVV0hUI9zGs9TS+3Qx+uhcanQCfTjS5 wIIbl7cT7M6TLANW73HSBDk= =AodB -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 6/6/07, Carlos E. R.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Wednesday 2007-06-06 at 15:47 -0400, George Stoianov wrote:
If you cannot resize I think you maybe able to create an encrypted file and mounted using some loop mechanism I cannot remember exactly.
That part is easy; for instance, in fstab:
cryptofile mountpoint filesystemtype loop,encryption=twofish256 1 2
Thanks good to know. George -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2007-06-06 at 11:52 -0700, Kai Ponte wrote:
My new laptop (HP/Compaq nw9440) runs SUSE 10.2 exclusively. I do have vmware and cxoffice for wintendo apps but no specific partition. My only partitions are root, home and swap.
I would encrypt home, not root. Swap... dunno, may be, and may be not possible. Dunno.
Any way I can go about encrypting without destrying the partitions?
I don't think you can. You have to backup somewere, reformat, restore. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGZxXXtTMYHG2NR9URAhT8AJ0YdvADpRSCcKN7LHT3B8PxZ7EvSACeIMOW lab/E6YP/B/v5WwDkKN23N4= =o5bF -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2007-06-06 at 11:52 -0700, Kai Ponte wrote:
My company has a new policy coming into effect, requiring all mobile devices have encryption built in.
Just wondering, encryption costs (some) cpu-cycles. Why ebcrypting evrything under root, usr, opt, srv, etc, tmp and var? Everything there is public on the Net... Shound't /home not be enough ??? Don't make life harder for your self then it already is.. Hans -- pgp-id: 926EBB12 pgp-fingerprint: BE97 1CBF FAC4 236C 4A73 F76E EDFC D032 926E BB12 Registered linux user: 75761 (http://counter.li.org) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet wrote:
On Wed, 2007-06-06 at 11:52 -0700, Kai Ponte wrote:
My company has a new policy coming into effect, requiring all mobile devices have encryption built in.
Just wondering,
encryption costs (some) cpu-cycles. Why ebcrypting evrything under root, usr, opt, srv, etc, tmp and var? Everything there is public on the Net...
Shound't /home not be enough ??? Don't make life harder for your self then it already is..
Hans
And swap? -- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, June 7, 2007 4:17 pm, Hans Witvliet wrote:
On Wed, 2007-06-06 at 11:52 -0700, Kai Ponte wrote:
My company has a new policy coming into effect, requiring all mobile devices have encryption built in.
Just wondering,
encryption costs (some) cpu-cycles. Why ebcrypting evrything under root, usr, opt, srv, etc, tmp and var? Everything there is public on the Net...
Shound't /home not be enough ??? Don't make life harder for your self then it already is..
heh - good point That is my initial thought. One of the articles I referenced, however, mentioned how the root partition - particularly the FUBAR myriad of folders containing stuff - will have personal information. This is particularly prevelant in the tmp folder. I suppose I could just ensure tmp gets purged everytime I boot.
Hans -- pgp-id: 926EBB12 pgp-fingerprint: BE97 1CBF FAC4 236C 4A73 F76E EDFC D032 926E BB12 Registered linux user: 75761 (http://counter.li.org) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kai Ponte wrote:
On Thu, June 7, 2007 4:17 pm, Hans Witvliet wrote:
On Wed, 2007-06-06 at 11:52 -0700, Kai Ponte wrote:
My company has a new policy coming into effect, requiring all mobile devices have encryption built in. Just wondering,
encryption costs (some) cpu-cycles. Why ebcrypting evrything under root, usr, opt, srv, etc, tmp and var? Everything there is public on the Net...
Shound't /home not be enough ??? Don't make life harder for your self then it already is..
heh - good point
That is my initial thought. One of the articles I referenced, however, mentioned how the root partition - particularly the FUBAR myriad of folders containing stuff - will have personal information. This is particularly prevelant in the tmp folder.
I suppose I could just ensure tmp gets purged everytime I boot.
Hans -- pgp-id: 926EBB12 pgp-fingerprint: BE97 1CBF FAC4 236C 4A73 F76E EDFC D032 926E BB12 Registered linux user: 75761 (http://counter.li.org) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I would suggest adding in /tmp and the swap file. If you swap, the data might be contained in the swap partition. The /tmp might contains personal information, because many programs use the /tmp. -- Joseph Loo jloo@acm.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2007-06-07 at 18:12 -0700, Kai Ponte wrote:
That is my initial thought. One of the articles I referenced, however, mentioned how the root partition - particularly the FUBAR myriad of folders containing stuff - will have personal information. This is particularly prevelant in the tmp folder.
I suppose I could just ensure tmp gets purged everytime I boot.
You can give tmp it's own partition and encrypt it. An var, if you wish. And swap while suspended, I heard something about it. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGaLEotTMYHG2NR9URArztAJ4vIykwzjFsqfgbHFc9ZKEPL8zNgwCfbTeX KNZAoxz6K+3XhNtpzCbCVt0= =Ykrd -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 2007-06-08 at 03:30 +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Thursday 2007-06-07 at 18:12 -0700, Kai Ponte wrote:
That is my initial thought. One of the articles I referenced, however, mentioned how the root partition - particularly the FUBAR myriad of folders containing stuff - will have personal information. This is particularly prevelant in the tmp folder.
I suppose I could just ensure tmp gets purged everytime I boot.
You can give tmp it's own partition and encrypt it. An var, if you wish. And swap while suspended, I heard something about it.
Which makes me wonder if one could not just create a separate partition for the various directories that need to be encrypted, create the directories on that encrypted partition and then link to the encrypted directories from the unencrypted root partition? The downside to this I think would come at time for upgrade, when one would have to clear the encrypted directories, 'sync' over the new data, and then re-setup the links. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Guys lets not forget that encrypting a partition is only protecting data when the computer is turned off i.e. none can just start it and read my stuff, when it is on the partition is mounted with your password for you to use it. When that happens whether it is /home, /var or /srv it does not matter if someone can break into your system becuase it is on the net they will have access to all of that and they would not even know or care that it is encrypted. Another thing, for me at least, is the importance of being able to boot even if I lost/forgot etc my password so encrypting just home works fine. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
George Stoianov wrote:
Guys lets not forget that encrypting a partition is only protecting data when the computer is turned off i.e. none can just start it and read my stuff, when it is on the partition is mounted with your password for you to use it. When that happens whether it is /home, /var or /srv it does not matter if someone can break into your system becuase it is on the net they will have access to all of that and they would not even know or care that it is encrypted.
Another thing, for me at least, is the importance of being able to boot even if I lost/forgot etc my password so encrypting just home works fine. You might want to clear /tmp on boot, though that won't protect you against someone with a rescue CD. And I suppose you could have swap in a file on your encrypted directory.
-- Use OpenOffice.org http://www.openoffice.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2007-06-08 at 13:06 -0400, George Stoianov wrote:
Guys lets not forget that encrypting a partition is only protecting data when the computer is turned off i.e. none can just start it and
Obviously. I haven't forgotten that. But referent to the OP mail, it is theft of the portable computer what the company is worried about; and the highest risk of theft is when on the move, with the portable off and inside its bag. If the computer is on, the owner should be around and protect it with his life! :-p - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGabwgtTMYHG2NR9URAm8+AJsEnMiAWSCEtXC27J2I1EFL54615QCdHBFy xqN5S7UWDiCrNb03iaxPdKc= =aNre -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, June 8, 2007 1:29 pm, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Friday 2007-06-08 at 13:06 -0400, George Stoianov wrote:
Guys lets not forget that encrypting a partition is only protecting data when the computer is turned off i.e. none can just start it and
Obviously. I haven't forgotten that. But referent to the OP mail, it is theft of the portable computer what the company is worried about; and the highest risk of theft is when on the move, with the portable off and inside its bag.
Yes, that *is* my concern.
If the computer is on, the owner should be around and protect it with his life! :-p
Exactly, especially doing important things like trying to make qdvdauthor work. :P -- k -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 2007-06-10 at 06:39 -0700, Kai Ponte wrote:
On Fri, June 8, 2007 1:29 pm, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Friday 2007-06-08 at 13:06 -0400, George Stoianov wrote:
Guys lets not forget that encrypting a partition is only protecting data when the computer is turned off i.e. none can just start it and
Obviously. I haven't forgotten that. But referent to the OP mail, it is theft of the portable computer what the company is worried about; and the highest risk of theft is when on the move, with the portable off and inside its bag.
Yes, that *is* my concern.
If the content of /home, or /home/johndoe is to be protected at all cost, one might think about using tokens... Eventough PIN/PUK are virtually impossible to break, the token should never be kept with the notebook (with a post-it memo with the pin&puk-code ;), but in your wallet or key-chain. If the notebook got nicked, the thief only sees a free-and-open O.S. And even *if* he can log in, as root, he can not decipher anything without the token and the knowledge of it's pin-code. Having said this, do you access you data from linux/bsd-only machines? If so, (and the sensitive data is not to much..) why not put that part of your data on an encrypted usb-stick? HW -- pgp-id: 926EBB12 pgp-fingerprint: BE97 1CBF FAC4 236C 4A73 F76E EDFC D032 926E BB12 Registered linux user: 75761 (http://counter.li.org) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (7)
-
Carlos E. R.
-
George Stoianov
-
Hans Witvliet
-
James Knott
-
Joseph Loo
-
Kai Ponte
-
Mike McMullin