[opensuse] Expand user's encrypted home image file
Hello list! During the initial setup of my openSUSE installation (12.2) I made sure that my home folder was encrypted by checking the correspondent option. So my home folder end up managed by openSUSE which created and set-up an encrypted image file accordingly to the details here: http://doc.opensuse.org/documentation/html/openSUSE_122/opensuse-security/ch.... security.cryptofs.html#sec.security.cryptofs.y2.homes . I have an home folder (image file) of fixed-size which I now need to enlarge as its free space its almost entirely depleted. But before proceeding with the enlargement, using Yast as described here http://doc.opensuse.org/documentation/html/openSUSE_122/opensuse-startup/cha. y2.userman.html#sec.y2.userman.adv.crypto , I'd like to know if somebody already had experience with similar issue and above all if somebody knows the details of how Yast will handle the request to enlarge the image file. Is a well know scenario in the openSUSE community with the procedure known as bug free? Gave the situation I'm worrying about how it will re-size the file to accommodate the new size? I guess by creating a new image file with the new size encrypted with the same key, and then copying all the "old" image file contents, eventually deleting the "old" one at the end? If that would be the case,given than my home is quite big, it will probably fail as the HDD will not have space required to handle the copy of the file. Any information with analogues experiences about the procedure is greatly appreciated. Thank you. -- Marco -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2013-07-24 a las 01:23 +0200, Marco Vittorini Orgeas escribió:
Is a well know scenario in the openSUSE community with the procedure known as bug free?
It is the first time, AFAIR, that I know of some one attempting it. If I were you, I would try the procedure on a virtualized environment. The alternative is saving it all in a backup and create a new, bigger file. In any case, do a backup, to prevent the case of failure to enlarge it safely. I do use encription, but not on home; instead, I use an encripted partition where I store private files. - -- Cheers Carlos E. R. (from 11.4, with Evergreen, x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iF4EAREIAAYFAlHvqhUACgkQja8UbcUWM1zfbQD/RkEDVY2s/SApil4adcv6XifF pBpMSx5a8JuOFNop/wQA/3t6+yCzKyXY2D4Y3wKztVPdju0UT/Uto7oi4r4hSuUQ =iz8g -----END PGP SIGNATURE-----
On Wednesday, July 24, 2013 12:18:51 PM Carlos E. R. wrote:
It is the first time, AFAIR, that I know of some one attempting it.
Am I really the only one which encrypt its files using openSUSE approach? -- Marco -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/24/2013 11:59 PM, Marco Vittorini Orgeas wrote:
On Wednesday, July 24, 2013 12:18:51 PM Carlos E. R. wrote:
Am I really the only one which encrypt its files using openSUSE approach?
sorry, i can't answer your initial question (never had or used encrypted partitions)...but, for your question above: no. and AFAICT some have also had to deal with insufficient space--here are a few i found: http://forums.opensuse.org/english/get-technical-help-here/install-boot-logi... http://forums.opensuse.org/english/get-technical-help-here/install-boot-logi... http://forums.opensuse.org/english/get-technical-help-here/install-boot-logi... http://forums.opensuse.org/english/get-technical-help-here/install-boot-logi... http://forums.opensuse.org/english/get-technical-help-here/install-boot-logi... and google can turn up others..what i didn't find was a clear how it works or answers to all of your other questions...otoh i think Carlos gave you _the_ correct answer: *Backup* and by that i'm sure he means an OFF machine backup.. dd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thursday, July 25, 2013 09:12:02 AM DenverD wrote:
On 07/24/2013 11:59 PM, Marco Vittorini Orgeas wrote:
On Wednesday, July 24, 2013 12:18:51 PM Carlos E. R. wrote:
Am I really the only one which encrypt its files using openSUSE approach?
sorry, i can't answer your initial question (never had or used encrypted partitions)...but, for your question above: no.
Actually openSUSE encrypts home folders by using an image file.There are *not* partitions involved.
and AFAICT some have also had to deal with insufficient space--here are a few i found:
http://forums.opensuse.org/english/get-technical-help-here/install-boot-logi n/481497-adding-physical-volumes-existing-luks-encrypted-lvm-expand-size.htm l
http://forums.opensuse.org/english/get-technical-help-here/install-boot-logi n/485347-almost-no-space-encrypted-partition.html
http://forums.opensuse.org/english/get-technical-help-here/install-boot-logi n/472194-sketchy-lvm-encryption-seeking-documentation-pointers.html
http://forums.opensuse.org/english/get-technical-help-here/install-boot-logi n/459788-lvm-running-out-space-after-clean-install.html
http://forums.opensuse.org/english/get-technical-help-here/install-boot-logi n/478414-cant-resize-encrypted-home-directory.html
Again all the links, but the last one, deal with problems abput LVM and encrypted partitions, which are not related to my issue.
and google can turn up others..what i didn't find was a clear how it works or answers to all of your other questions...otoh i think Carlos gave you _the_ correct answer: *Backup* and by that i'm sure he means an OFF machine backup..
I've tried to found something related on the web, but didn't found anything relevant. Naturally I would proceed with a backup first approach.I would be interested in the details of the "expansion" process, as I said if it will proceed with a copy+delete, it wouldn't have the space required to do such a thing. Anyway looking at the openSUSE forums reply rate, maybe I would have better posted there to get "users" support ? Thank you again. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Jul 25, 2013 at 7:43 AM, Marco Vittorini Orgeas <marco@vittorini.org> wrote:
On Thursday, July 25, 2013 09:12:02 AM DenverD wrote:
On 07/24/2013 11:59 PM, Marco Vittorini Orgeas wrote:
On Wednesday, July 24, 2013 12:18:51 PM Carlos E. R. wrote:
Am I really the only one which encrypt its files using openSUSE approach?
sorry, i can't answer your initial question (never had or used encrypted partitions)...but, for your question above: no.
Actually openSUSE encrypts home folders by using an image file.There are *not* partitions involved.
and AFAICT some have also had to deal with insufficient space--here are a few i found:
http://forums.opensuse.org/english/get-technical-help-here/install-boot-logi n/481497-adding-physical-volumes-existing-luks-encrypted-lvm-expand-size.htm l
http://forums.opensuse.org/english/get-technical-help-here/install-boot-logi n/485347-almost-no-space-encrypted-partition.html
http://forums.opensuse.org/english/get-technical-help-here/install-boot-logi n/472194-sketchy-lvm-encryption-seeking-documentation-pointers.html
http://forums.opensuse.org/english/get-technical-help-here/install-boot-logi n/459788-lvm-running-out-space-after-clean-install.html
http://forums.opensuse.org/english/get-technical-help-here/install-boot-logi n/478414-cant-resize-encrypted-home-directory.html
Again all the links, but the last one, deal with problems abput LVM and encrypted partitions, which are not related to my issue.
and google can turn up others..what i didn't find was a clear how it works or answers to all of your other questions...otoh i think Carlos gave you _the_ correct answer: *Backup* and by that i'm sure he means an OFF machine backup..
I've tried to found something related on the web, but didn't found anything relevant. Naturally I would proceed with a backup first approach.I would be interested in the details of the "expansion" process, as I said if it will proceed with a copy+delete, it wouldn't have the space required to do such a thing. Anyway looking at the openSUSE forums reply rate, maybe I would have better posted there to get "users" support ?
I've never been a fan of SuSE's approach to encrypting home directories for exactly the reasons you're run into, once you run out of space your stuck. IMO using ecryptfs, as Ubuntu does, for user home directory encryption is a much better approach. Because it's a stackable filesystem you only need to expand the underlying file system to increase space so it's transparent. Also because it's a stacked filesystems you don't need to "resize" the mapping of the volume like you do if using dm-crypt, see cryptsetup(8) resize. On openSUSE 12.2+ when you install the ecryptfs-utils package it will properly update the pam configuration and set permissions accordingly, I wrote the pam-config patches for this and helped push the setuid bits through. Unfortunately there are currently issues with some of the ecryptfs-utils scripts, at least on openSuSE 12.3, which need to be addressed in order for things to be properly setup. The biggest I'm aware of is ecryptfs-setup-swap needs to be updated to support systemd and it doesn't always update the fstab swap entries. In it's current state it doesn't work and I haven't had time to fix/patch it and push them upstream. Enjoy ;-) -- Later, Darin -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thursday, July 25, 2013 09:12:43 AM Darin Perusich wrote:
On Thu, Jul 25, 2013 at 7:43 AM, Marco Vittorini Orgeas
I've never been a fan of SuSE's approach to encrypting home directories for exactly the reasons you're run into, once you run out of space your stuck. IMO using ecryptfs, as Ubuntu does, for user home
Then, is it correct to assume that it will proceed with a copy+delete? In such a case an image file of 60GB inside a HDD drive of 100GB won't allow a copy+delete. I would bet it will proceed with that, but I can't assume for sure: e.g. Virtualbox somehow allows the resizing of its VM guest HDD images without a copy+delete: https://www.virtualbox.org/manual/ch08.html#vboxmanage-modifyvdi .
directory encryption is a much better approach. Because it's a stackable filesystem you only need to expand the underlying file system to increase space so it's transparent. Also because it's a stacked filesystems you don't need to "resize" the mapping of the volume like you do if using dm-crypt, see cryptsetup(8) resize.
On openSUSE 12.2+ when you install the ecryptfs-utils package it will properly update the pam configuration and set permissions accordingly, I wrote the pam-config patches for this and helped push the setuid bits through. Unfortunately there are currently issues with some of the ecryptfs-utils scripts, at least on openSuSE 12.3, which need to be addressed in order for things to be properly setup. The biggest I'm aware of is ecryptfs-setup-swap needs to be updated to support systemd and it doesn't always update the fstab swap entries. In it's current state it doesn't work and I haven't had time to fix/patch it and push them upstream.
Yes, I did looked into it when I had to setup the OS, but the state wasn't completely bug-free so,given the critical nature of the function, I eventually preferred going ahead with the "official" and "supported" way to encrypt home dirs. I hope it will be polished out...also, why not adding an helper script to convert the image file to an ecryptfs set-up? -- Marco -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2013-07-24 at 23:59 +0200, Marco Vittorini Orgeas wrote:
On Wednesday, July 24, 2013 12:18:51 PM Carlos E. R. wrote:
It is the first time, AFAIR, that I know of some one attempting it.
Am I really the only one which encrypt its files using openSUSE approach?
My memory can be faulty. But you are the only one I remember asking how to expand an encrypted home filesystem "a la suse". I do use yast encryption on a data partition; I would not know how to expand it, either. maybe here? http://tldp.org/HOWTO/html_single/Cryptoloop-HOWTO/ doc.opensuse.org --> security book ? - -- Cheers, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlHziogACgkQtTMYHG2NR9UcrgCdFncDQkOoWlO8nkirs+yCa0ht 6U4An3D2QpCWsV8gAmvQeXTczh/wWp9O =oPTk -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 В Sat, 27 Jul 2013 10:53:20 +0200 (CEST) "Carlos E. R." <robin.listas@telefonica.net> пишет:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wednesday, 2013-07-24 at 23:59 +0200, Marco Vittorini Orgeas wrote:
On Wednesday, July 24, 2013 12:18:51 PM Carlos E. R. wrote:
It is the first time, AFAIR, that I know of some one attempting it.
Am I really the only one which encrypt its files using openSUSE approach?
My memory can be faulty. But you are the only one I remember asking how to expand an encrypted home filesystem "a la suse". I do use yast encryption on a data partition; I would not know how to expand it, either.
After file is resized - simply "cryptsetup resize". https://wiki.archlinux.org/index.php/System_Encryption_with_LUKS#Resizing_th... -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlHzj1MACgkQR6LMutpd94xwTACgk95EEHMSIpvH9xFO2P3xSocR h24AmQGRDrb1cll4Tz8lPna8vPH8x3hu =x0R1 -----END PGP SIGNATURE----- N▀╖╡ФЛr╦⌡yИ ┼Z)z{.╠О╝·к⌡╠йБmЙ)z{.╠Й+│: ╒{Zrшaz▄'z╥╕j)h╔ИЛ╨г╬ё ч╝┼^·к╛z┼Ю
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2013-07-27 at 13:13 +0400, Andrey Borzenkov wrote:
В Sat, 27 Jul 2013 10:53:20 +0200 (CEST) "Carlos E. R." <> пишет:
My memory can be faulty. But you are the only one I remember asking how to expand an encrypted home filesystem "a la suse". I do use yast encryption on a data partition; I would not know how to expand it, either.
After file is resized - simply "cryptsetup resize".
https://wiki.archlinux.org/index.php/System_Encryption_with_LUKS#Resizing_th...
Interesting... How would you expand the file? Right now I can only think of: cat bigfile >> loopedfile - -- Cheers, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlH0FnkACgkQtTMYHG2NR9V1wACfRvglJektnJwDrAFUI0+5AzKQ fDkAniEnyxUa8RlsOufUA/cIDBA8tKOu =L4X7 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 В Sat, 27 Jul 2013 20:50:24 +0200 (CEST) "Carlos E. R." <robin.listas@telefonica.net> пишет:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Saturday, 2013-07-27 at 13:13 +0400, Andrey Borzenkov wrote:
В Sat, 27 Jul 2013 10:53:20 +0200 (CEST) "Carlos E. R." <> пишет:
My memory can be faulty. But you are the only one I remember asking how to expand an encrypted home filesystem "a la suse". I do use yast encryption on a data partition; I would not know how to expand it, either.
After file is resized - simply "cryptsetup resize".
https://wiki.archlinux.org/index.php/System_Encryption_with_LUKS#Resizing_th...
Interesting...
How would you expand the file?
One method is described in the above link. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlH0mZoACgkQR6LMutpd94xYEwCfVa84elbNRtilSMvLOuimL0Bw 8bIAn07/LdqIcBxee5iLPxeBZ1aNHhyL =5egM -----END PGP SIGNATURE----- N▀╖╡ФЛr╦⌡yИ ┼Z)z{.╠О╝·к⌡╠йБmЙ)z{.╠Й+│: ╒{Zrшaz▄'z╥╕j)h╔ИЛ╨г╬ё ч╝┼^·к╛z┼Ю
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2013-07-28 at 08:10 +0400, Andrey Borzenkov wrote:
Interesting...
How would you expand the file?
One method is described in the above link.
Ah, ok. As I do not need to do it, for the moment, I'm just storing knowledge, so I did not actually look at the link. Thanks. - -- Cheers, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlH1WkoACgkQtTMYHG2NR9XnyACffC1iIB7hKnoVb5KMnK5gDeDD QfwAnjBurGCG0IHybHKdziQ4pkX+s6xD =sM8q -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Andrey Borzenkov -
Carlos E. R. -
Darin Perusich -
DenverD -
Marco Vittorini Orgeas