On Thu December 27 2007 05:03, Carlos E. R. wrote:
The Wednesday 2007-12-26 at 17:51 -0800, Kai Ponte wrote:
I would only encrypt home.
You know, I was going to go that route.
However, I have no clue what to do. I see there's an option for something like a crypto, but I've yet to find anything on google as to how.
Say I have a 75GB home partition that I want to encrypt and want EXT3, what do I choose?
The easiest way is to start the yast partitioner module, and tell it to format a partition as ext3 encrypted. It will ask for the passphrase (better be long), and it will encrypt the partition - which can be /home, of course. Of course, it is a "format" tool, you loose any data on it, but that can't be helped (copy it somewhere else, and work as root meanwhile).
This is what I would use to encrypt a large /home completely. But I would not recommend it. I tried this method first on my new laptop and I found that it has 2 disadvantages. If you let the password prompt time out or if you miss the password 3 times, you start a system without your /home. Obviously the mounting point /home is still there, but it is empty and you login into a fresh new environment created on the unencrypted root partition, which is highly inconvenient. It would be even worse, if you had encrypted the root partition. Second, once you unencrypt /home, it is all open until you shutdown, meaning that after suspend you are only protected by the lock-screen. Also, you cannot use you laptop in an untrusted environment without having your sensitive data exposed.
There is another option, which I haven't tested, new for opensuse 10.3, that encrypts the home of a single user. It is done from the user management module. You can have pain users and encrypted users, and each one with a separate data space.
If it is what I think, it creates an encripted filesystem on a file mounted on a loop in /home/USER- so you have to choose how much space to give it beforehand. The opensuse manual explains it, I think.
I am testing this right now. I only really need to encrypt one directory, which contains sensitive (under NDA), data and perhaps my Mail dir. So I created a crypt file under /home with 5GB (enough for the data; I need another one of these for my Mail) and mounted it to the top level sensitive directory in my home. If I just hit Enter 3 times without giving the passphrase, I can still use the laptop normally. The directory is there empty (actually it has now a file called NOTMOUNTED.txt to help me notice it is not mounted, since I once forgot and started copying data into the plain mounting point; this file does not show up if the encrypted loop-file is mounted.), if I want to use the laptop without exposing it. I just noticed in "man crypttab" that you can add an option "noauto" in /etc/crypttab, so that the boot process is not interrupted by the ugly text based passphrase question. I am going to try that. To mount and unmount the encrypted directories, you run as root: /etc/rc.d/boot.cryto restart /etc/rc.d/boot.crypto stop respectively. Ideally, I would like the mounting and unmounting to be more convenient, maybe from within Konqueror, and that the crypto files are unmounted automatically at suspend (can I add that to /etc/pm/sleep.d ?). -- Carlos FL Who is General Failure, and why is he reading my disk? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org