[opensuse] Cleanest way to mount LUKS
Hello, I would like to create a LUKS drive, requiring a password to access, in order to store data for a confidential project. I don't think I want to encrypt the entire machine as my CPU is pretty basic (Pentium G2120) and I'm worried about performance. (Or is this a non-issue?) Anyway - what is the cleanest way to create and then mount a LUKS drive in Leap? Ideally I want some sort of automount with a GUI prompt for password when I try to access the path. I could live with a manual mount command and password entry. provided I do not have to do it as root. Also, should I use a file or a partition? Is it possible to have a LUKS drive that grows automatically as needed if I use a file? -- Yours, Mikhail Ramendik Unless explicitly stated, all opinions in my mail are my own and do not reflect the views of any organization -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2017-12-11 at 20:52 -0000, Mikhail Ramendik wrote:
Hello,
I would like to create a LUKS drive, requiring a password to access, in order to store data for a confidential project.
I don't think I want to encrypt the entire machine as my CPU is pretty basic (Pentium G2120) and I'm worried about performance. (Or is this a non-issue?)
Non issue :-) Unless your workload is disk intensive. I typically only encrypt /home or /data directories, not the system. However, programs may use temporary spaces, so you might consider full system encryption.
Anyway - what is the cleanest way to create and then mount a LUKS drive in Leap?
YaST to create it, and add entries to fstab.
Ideally I want some sort of automount with a GUI prompt for password when I try to access the path. I could live with a manual mount command and password entry. provided I do not have to do it as root.
The system will prompt for password during boot, if the partition is mounted by default in fstab. Graphically if you use Plymouth (the default). I do it noauto and mount manually. Actually, I wrote my own scripts. You can also define the home of a particular user to use encryption (defined size) and will ask for the password at login. Unsure it will umount at logout, though, I remember an old bug somewhere.
Also, should I use a file or a partition?
Either. I have used both. I think I prefer partitions.
Is it possible to have a LUKS drive that grows automatically as needed if I use a file?
Not that I know. - -- Cheers, Carlos E. R. (from openSUSE 42.2 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlou9lcACgkQtTMYHG2NR9XbuQCgjtRxq/YHdbsQd6C/HqcHO7nH nDkAn2i45kev7wC7vcNLl7av7LvyecaA =6K7/ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11 December 2017 at 21:19, Carlos E. R. <robin.listas@telefonica.net> wrote:
I don't think I want to encrypt the entire machine as my CPU is pretty basic (Pentium G2120) and I'm worried about performance. (Or is this a non-issue?)
Non issue :-)
Unless your workload is disk intensive.
I typically only encrypt /home or /data directories, not the system. However, programs may use temporary spaces, so you might consider full system encryption.
Well, /home might be a workable compromise. The system is sometimes swap-intensive, SSD is being installed specifically to speed things up, so I think encrupting swap would be self-defeating. But encryption might be ok for /home. Or else just an encrypted area for the project. Also I wonder if it might be possible to wipe swap at shutdown. The probability of the system being stolen while turned on is very small - it is a desktop. But if the home is broken into in my absence, it's a different story. Actually, if the machine does get stolen the probability of someone actually analysing swap is also small, but still I'd like to remove that chance if possible.
Ideally I want some sort of automount with a GUI prompt for password when I try to access the path. I could live with a manual mount command and password entry. provided I do not have to do it as root.
The system will prompt for password during boot, if the partition is mounted by default in fstab. Graphically if you use Plymouth (the default).
I do it noauto and mount manually. Actually, I wrote my own scripts.
And how do your scripts work? You added something to sudo's config so they can use sudo to mount manually? Manual mounting could be great for me but I want to avoid entering two passwords (root and LUKS). -- Yours, Mikhail Ramendik Unless explicitly stated, all opinions in my mail are my own and do not reflect the views of any organization -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2017-12-11 at 22:18 -0000, Mikhail Ramendik wrote:
On 11 December 2017 at 21:19, Carlos E. R. <robin.listas@telefonica.net> wrote:
I don't think I want to encrypt the entire machine as my CPU is pretty basic (Pentium G2120) and I'm worried about performance. (Or is this a non-issue?)
Non issue :-)
Unless your workload is disk intensive.
I typically only encrypt /home or /data directories, not the system. However, programs may use temporary spaces, so you might consider full system encryption.
Well, /home might be a workable compromise. The system is sometimes swap-intensive, SSD is being installed specifically to speed things up, so I think encrupting swap would be self-defeating. But encryption might be ok for /home. Or else just an encrypted area for the project.
Yes, any of that is doable.
Also I wonder if it might be possible to wipe swap at shutdown. The probability of the system being stolen while turned on is very small - it is a desktop. But if the home is broken into in my absence, it's a different story. Actually, if the machine does get stolen the probability of someone actually analysing swap is also small, but still I'd like to remove that chance if possible.
Yes, I think it would be doable, but you have to script it fourself. Actuall, add a system service that does it during halt. It would have to set swap off, then overwrite it entirely with zeroes (it is SSD, so don't bother about writing random data, then reformat as swap again, with the proper options so that it is correct for fstab on next boot.
Ideally I want some sort of automount with a GUI prompt for password when I try to access the path. I could live with a manual mount command and password entry. provided I do not have to do it as root.
The system will prompt for password during boot, if the partition is mounted by default in fstab. Graphically if you use Plymouth (the default).
I do it noauto and mount manually. Actually, I wrote my own scripts.
And how do your scripts work? You added something to sudo's config so they can use sudo to mount manually?
I can have a look tomorrow at what I did (it i1 1:43 AM here), but you should not /need/ it. It just makes life simpler for me, because my scripts make it similar to pre-systemd times.
Manual mounting could be great for me but I want to avoid entering two passwords (root and LUKS).
You have to. One is long, the encryption password. The other is typically shorter, for login. Yes, you can setup passwordless login, but that is highly unusual for root. - -- Cheers, Carlos E. R. (from openSUSE 42.2 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlovJscACgkQtTMYHG2NR9WtewCfaXl6qnOFF8tbL+mrNAEPaJg/ CzkAn3z0dv74CyaGJsImWZCT++RoRGr7 =8ClA -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2017-12-12 a las 01:45 +0100, Carlos E. R. escribió:
On Monday, 2017-12-11 at 22:18 -0000, Mikhail Ramendik wrote:
On 11 December 2017 at 21:19, Carlos E. R. <> wrote:
The system will prompt for password during boot, if the partition is mounted by default in fstab. Graphically if you use Plymouth (the default).
I do it noauto and mount manually. Actually, I wrote my own scripts.
And how do your scripts work? You added something to sudo's config so they can use sudo to mount manually?
I can have a look tomorrow at what I did (it i1 1:43 AM here), but you should not /need/ it. It just makes life simpler for me, because my scripts make it similar to pre-systemd times.
The manual command line is: cryptsetup luksOpen $CR_DEVICE $CR_NAME mount $FSTAB_MOUNT What my script does is simply find the exact parameters to enter, so that I run: crypto_mount [DEVMAP|MOUNT_POINT] and it does it. Script is attached. You have to copy it to /usr/local/bin/crypto_mount and create several symlinks: /usr/local/bin/crypto_ -> crypto_mount* /usr/local/bin/crypto_fsck -> crypto_mount* /usr/local/bin/crypto_info -> crypto_mount* /usr/local/bin/crypto_lst -> crypto_mount* /usr/local/bin/crypto_map -> crypto_mount* /usr/local/bin/crypto_mount* /usr/local/bin/crypto_mount~* /usr/local/bin/crypto_sinfo -> crypto_mount* /usr/local/bin/crypto_umount -> crypto_mount* /usr/local/bin/crypto_unmap -> crypto_mount* - -- Cheers Carlos E. R. (from openSUSE 42.2 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlovp2cACgkQja8UbcUWM1zTYAD+KaYptTMiQEiN5AaaJqGQBpf8 vDkitVuhkvAFTI/OGq4BAIoX28Ioq3rIkZFArE3qa6y4ZmxVK9WEfJn1RafqY9mn =6Z6Z -----END PGP SIGNATURE-----
On Mon, 11 Dec 2017 22:19:19 +0100 (CET) "Carlos E. R." <robin.listas@telefonica.net> wrote:
On Monday, 2017-12-11 at 20:52 -0000, Mikhail Ramendik wrote:
Is it possible to have a LUKS drive that grows automatically as needed if I use a file?
Not that I know.
You can do it with either a partition or a file. Start at the outside and work in through the layers until you extend the filesystem on the inside. Search online for 'extend luks file' if you need instructions. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dne pondělí 11. prosince 2017 21:52:03 CET, Mikhail Ramendik napsal(a):
I would like to create a LUKS drive, requiring a password to access, in order to store data for a confidential project. I don't think I want to encrypt the entire machine as my CPU is pretty basic (Pentium G2120) and I'm worried about performance. (Or is this a non-issue?)
I was using it on old Celerons and it worked well. So I'd give it a try. I use to have fully encrypted / and it works fine.
Anyway - what is the cleanest way to create and then mount a LUKS drive in Leap? Ideally I want some sort of automount with a GUI prompt for password when I try to access the path. I could live with a manual mount command and password entry. provided I do not have to do it as root.
Click in YaST. You can directly mount it there. If You'd make like this an external drive (I also do so), when I plug such drive, KDE (or whatever You are using) will ask for password and then it will be mounted as any other external drive. If You'd add entry to fstab to be mounted during boot, You might have issues displaying the prompt for entering password (Plymouth sometimes doesn't work perfectly), install blogd instead of Plymouth. -- Vojtěch Zeisek https://trapa.cz/
participants (4)
-
Carlos E. R. -
Dave Howorth -
Mikhail Ramendik -
Vojtěch Zeisek