Mailinglist Archive: opensuse (1108 mails)

< Previous Next >
Re: [opensuse] Booting with an encrypted home
On 08/07/2018 02:33 PM, Neil Rickert wrote:
A user owns two directories there: "/home/user" and
"/home/.ecryptfs/user". There is a subdirectory
"/home/.ecryptfs/user/.Private" which contains the encrypted version
of the user home directory. When that is unlocked, the decrypted
version is mounted on top of "/home/user".

The idea is to put ".ssh" in "/home/.ecryptfs/user" and have a symlink
to it in "/home/user" which will be what you see when the encrypted
directory is not unlocked. And then you need another symlink that is
put there when the encrypted directory is unlocked. That second
symlink is only visible with the encrypted directory is unlocked.
And, of course, there is an encrypted version of that symlink in
"/home/.ecryptfs/user/.Private/".

Neil,

Thanks for the additional details.  Some of the process is much clearer
with them.  But there must be a lot more magic to it, because, as given,
there are still theoretical gaps in the functioning of the files and
symlinks.  For instance, if I have encrypted files in
/home/.encryptfs/user/.ssh/ and then a symlink from that directory to
/home/user/, prior to the former being decrypted, I should not be able
to read the files there.  Just creating a symlink to an encrypted
directory does not decrypt it and its files.  So I don't see how it
would be possible to remotely log into such a system, being that ~/.ssh
(the symlink) would point to an encrypted directory.

As well, I'm not understanding the endpoints of the second symlink. 
It's created after /home/.encryptfs/user/ is decrypted (and mounted),
yes?  What would be the command to create that symlink then?

If I can sufficiently understand encryptfs, as you seem to do, then it
would be a really nice solution to an issue I'm looking at.

Thanks much.



--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >