Mailinglist Archive: opensuse (1108 mails)

< Previous Next >
Re: [opensuse] Booting with an encrypted home
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/07/2018 10:17 AM, ken wrote:

Wouldn't this cause problems if, when /home/ is mounted, Carlos
might try to read ~/.ssh ... I mean the directory and files would
*not* be encrypted, but encryptfs -- and so then also the system --
would act (or try to act) as if that directory and its files *were*
encrypted. What happens then?

It doesn't work that way.

The home partition is not itself encrypted. So "/home" can be mounted
during boot without needing a password.

A user owns two directories there: "/home/user" and
"/home/.ecryptfs/user". There is a subdirectory
"/home/.ecryptfs/user/.Private" which contains the encrypted version
of the user home directory. When that is unlocked, the decrypted
version is mounted on top of "/home/user".

The idea is to put ".ssh" in "/home/.ecryptfs/user" and have a symlink
to it in "/home/user" which will be what you see when the encrypted
directory is not unlocked. And then you need another symlink that is
put there when the encrypted directory is unlocked. That second
symlink is only visible with the encrypted directory is unlocked.
And, of course, there is an encrypted version of that symlink in
"/home/.ecryptfs/user/.Private/".

As long as mount and umount are atomic operations, ".ssh" will always
be available, though which of those symlinks it follows will depend.


-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEv7/MJoKYXv2p0PaIZJcsjNEnCIUFAltp5fMACgkQZJcsjNEn
CIUwCQf+LNkUmOadKLkXosoAb8j9uDG61F5WcuwgkhuYh2J80JsHWjkF/VBQ5oPB
fXWf/Hut1R+wQuipU8SaxdD8LyWBkEynOGoA5zJKODO4/EkxTGl/k4xv+XjDZ7Uj
FK8Mh2WzWpjq8aoblQ/Iy05naZxbtkwfMYD7Q8gvGz5+PpFzZfV2H0POAiNZAKDt
ShnDrGY3TCV5gfdnBdwTqSUj2FtOC2dO5l6Z16LyawccTtYXmkbt8TAjyLzj0D16
NVVmm6C6yhd+3/C48ChF3CITastaX8mqxXVLZWq7KWEOqRxgw1N4iSI6eSj5+9TV
6FqHvHq2yBeh+duI1MJjRoBKTJTnPw==
=NwKM
-----END PGP SIGNATURE-----

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups