-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/07/2018 10:17 AM, ken wrote:
Wouldn't this cause problems if, when /home/ is mounted, Carlos might try to read ~/.ssh ... I mean the directory and files would *not* be encrypted, but encryptfs -- and so then also the system -- would act (or try to act) as if that directory and its files *were* encrypted. What happens then?
It doesn't work that way. The home partition is not itself encrypted. So "/home" can be mounted during boot without needing a password. A user owns two directories there: "/home/user" and "/home/.ecryptfs/user". There is a subdirectory "/home/.ecryptfs/user/.Private" which contains the encrypted version of the user home directory. When that is unlocked, the decrypted version is mounted on top of "/home/user". The idea is to put ".ssh" in "/home/.ecryptfs/user" and have a symlink to it in "/home/user" which will be what you see when the encrypted directory is not unlocked. And then you need another symlink that is put there when the encrypted directory is unlocked. That second symlink is only visible with the encrypted directory is unlocked. And, of course, there is an encrypted version of that symlink in "/home/.ecryptfs/user/.Private/". As long as mount and umount are atomic operations, ".ssh" will always be available, though which of those symlinks it follows will depend. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEv7/MJoKYXv2p0PaIZJcsjNEnCIUFAltp5fMACgkQZJcsjNEn CIUwCQf+LNkUmOadKLkXosoAb8j9uDG61F5WcuwgkhuYh2J80JsHWjkF/VBQ5oPB fXWf/Hut1R+wQuipU8SaxdD8LyWBkEynOGoA5zJKODO4/EkxTGl/k4xv+XjDZ7Uj FK8Mh2WzWpjq8aoblQ/Iy05naZxbtkwfMYD7Q8gvGz5+PpFzZfV2H0POAiNZAKDt ShnDrGY3TCV5gfdnBdwTqSUj2FtOC2dO5l6Z16LyawccTtYXmkbt8TAjyLzj0D16 NVVmm6C6yhd+3/C48ChF3CITastaX8mqxXVLZWq7KWEOqRxgw1N4iSI6eSj5+9TV 6FqHvHq2yBeh+duI1MJjRoBKTJTnPw== =NwKM -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org