Mailinglist Archive: opensuse (686 mails)

< Previous Next >
Re: [opensuse] Expand user's encrypted home image file
On Thursday, July 25, 2013 09:12:43 AM Darin Perusich wrote:
On Thu, Jul 25, 2013 at 7:43 AM, Marco Vittorini Orgeas


I've never been a fan of SuSE's approach to encrypting home
directories for exactly the reasons you're run into, once you run out
of space your stuck. IMO using ecryptfs, as Ubuntu does, for user home

Then, is it correct to assume that it will proceed with a copy+delete?
In such a case an image file of 60GB inside a HDD drive of 100GB won't allow
a copy+delete.
I would bet it will proceed with that, but I can't assume for sure: e.g.
Virtualbox somehow allows the resizing of its VM guest HDD images without a
copy+delete: https://www.virtualbox.org/manual/ch08.html#vboxmanage-modifyvdi
.

directory encryption is a much better approach. Because it's a
stackable filesystem you only need to expand the underlying file
system to increase space so it's transparent. Also because it's a
stacked filesystems you don't need to "resize" the mapping of the
volume like you do if using dm-crypt, see cryptsetup(8) resize.

On openSUSE 12.2+ when you install the ecryptfs-utils package it will
properly update the pam configuration and set permissions accordingly,
I wrote the pam-config patches for this and helped push the setuid
bits through. Unfortunately there are currently issues with some of
the ecryptfs-utils scripts, at least on openSuSE 12.3, which need to
be addressed in order for things to be properly setup. The biggest I'm
aware of is ecryptfs-setup-swap needs to be updated to support systemd
and it doesn't always update the fstab swap entries. In it's current
state it doesn't work and I haven't had time to fix/patch it and push
them upstream.


Yes, I did looked into it when I had to setup the OS, but the state
wasn't completely bug-free so,given the critical nature of the function, I
eventually preferred going ahead with the "official" and "supported" way to
encrypt home dirs.
I hope it will be polished out...also, why not adding an helper script to
convert the image file to an ecryptfs set-up?

--
Marco
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >