Re: [opensuse] Encrypted root, two disks
Dne St 2. dubna 2014 10:49:04 jste napsal(a):
On Wed, Apr 2, 2014 at 10:39 AM, Vojtěch Zeisek <vojtech.zeisek@opensuse.org> wrote:
Dne St 2. dubna 2014 10:30:13 jste napsal(a):
On Wed, Apr 2, 2014 at 10:16 AM, Vojtěch Zeisek <vojtech.zeisek@opensuse.org> wrote:
Dne St 2. dubna 2014 09:31:18 jste napsal(a):
On Apr 2, 2014 6:01 AM, "Vojtěch Zeisek" <vojtech.zeisek@opensuse.org> wrote: Instead of encrypting the whole partition or file system for /home you can use eCryptfs to encrypt $HOME for each user, which sounds like it's only you. eCryptfs is WAY more flexible them that built-in encrypted, not easily expandable image thing that openSUSE/Yast uses for creating encrypted home directories. If you're using openSUSE >=12.3 it's fairly seamless to get started, installing ecryptfs-utils will setup all the needed pam bits then you need to migrate a users homedir and you'll be all set.
eCryptfs has a utility to migrate a users unencryptred home directory, ecryptfs-migrate-home, to use ecryptfs. While you don't need it there's also a utility to encrypt swap, ecryptfs-setup-swap, which should also be encrypted.
If you've a bit leery about migrating, depending on how much data existing in your $HOME, create a test account to migrate to get yourself comfortable with it.
Here's a good article from the one of the maintainers. http://blog.dustinkirkland.com/2011/02/long-overdue-introduction-ecryp tfs .ht ml
It seems like interesting tool, but I feel it as a step backwards... It doesn't seem as way I'd like to follow. But thanks anyway. :-)
Having used the existing/current encryption mechanisms, dmcrypt and the link, for many many year I'd argue the opposite, they're a step backwards and ecryptfs is where people should be moving to. This is why I've spent time patching (ecryptfs-util and pam-config) and getting it working more seamlessly in SuSE.
On of the beauties of ecryptfs is that it's pass-thru encryption which is layered above the file systems so everything that hits is get encrypted. If you grow/extend your volumes there's no additional step of using cryptsetup to resize mapping, which is something that can be easily forgotten/missed.
Enjoy ;-)
Can You secure whole FS with it?
Yes, see https://help.ubuntu.com/10.04/serverguide/ecryptfs.html for some examples, however I've never used it to encrypt /. Personally I do not use encryption for non-data locations, I.e /, /usr, etc since IMO that doesn't buy you anything other than unnecessary overhead.
Interesting. Still, I'd prefer whole disk solution, but this also sounds good. Well, I don't see any performance looses when using encrypted root... All the best, V. -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/
participants (1)
-
Vojtěch Zeisek