[opensuse] Encrypted Root Partition
I have been studying the article at http://en.opensuse.org/Encrypted_Root_File_System_with_SUSE_HOWTO as to how to encrypt the root partition when installing. I'm about to upgrade my main laptop from 10.2 to 10.3 and plan to encrypt both root and /home. I do have a live CD so I can use this instead of the method described in the article. Any ideas how I'd go about it? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2007-12-26 at 15:53 -0800, Kai Ponte wrote:
I'm about to upgrade my main laptop from 10.2 to 10.3 and plan to encrypt both root and /home.
I would only encrypt home. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHcvrQtTMYHG2NR9URApknAJ0eCs/wSvf72Y1++W38CCf6QxAX1wCfZ0CV AiqzKQTSM+7m55DoRkEqx3M= =i6VL -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 26 December 2007 17:07, Carlos E. R. wrote:
The Wednesday 2007-12-26 at 15:53 -0800, Kai Ponte wrote:
I'm about to upgrade my main laptop from 10.2 to 10.3 and plan to encrypt both root and /home.
I would only encrypt home.
You know, I was going to go that route. However, I have no clue what to do. I see there's an option for something like a crypto, but I've yet to find anything on google as to how. Say I have a 75GB home partition that I want to encrypt and want EXT3, what do I choose? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2007-12-26 at 17:51 -0800, Kai Ponte wrote:
I would only encrypt home.
You know, I was going to go that route.
However, I have no clue what to do. I see there's an option for something like a crypto, but I've yet to find anything on google as to how.
Say I have a 75GB home partition that I want to encrypt and want EXT3, what do I choose?
The easiest way is to start the yast partitioner module, and tell it to format a partition as ext3 encrypted. It will ask for the passphrase (better be long), and it will encrypt the partition - which can be /home, of course. Of course, it is a "format" tool, you loose any data on it, but that can't be helped (copy it somewhere else, and work as root meanwhile). There is another option, which I haven't tested, new for opensuse 10.3, that encrypts the home of a single user. It is done from the user management module. You can have pain users and encrypted users, and each one with a separate data space. If it is what I think, it creates an encripted filesystem on a file mounted on a loop in /home/USER- so you have to choose how much space to give it beforehand. The opensuse manual explains it, I think. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHc5SutTMYHG2NR9URAiOfAJ4n9zDyb6nBMlLsKgwOAO2ZbgkS2wCeNjnl whyLK9q1jBXYZvs+Pdjj7OM= =VZps -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu December 27 2007 05:03, Carlos E. R. wrote:
The Wednesday 2007-12-26 at 17:51 -0800, Kai Ponte wrote:
I would only encrypt home.
You know, I was going to go that route.
However, I have no clue what to do. I see there's an option for something like a crypto, but I've yet to find anything on google as to how.
Say I have a 75GB home partition that I want to encrypt and want EXT3, what do I choose?
The easiest way is to start the yast partitioner module, and tell it to format a partition as ext3 encrypted. It will ask for the passphrase (better be long), and it will encrypt the partition - which can be /home, of course. Of course, it is a "format" tool, you loose any data on it, but that can't be helped (copy it somewhere else, and work as root meanwhile).
This is what I would use to encrypt a large /home completely. But I would not recommend it. I tried this method first on my new laptop and I found that it has 2 disadvantages. If you let the password prompt time out or if you miss the password 3 times, you start a system without your /home. Obviously the mounting point /home is still there, but it is empty and you login into a fresh new environment created on the unencrypted root partition, which is highly inconvenient. It would be even worse, if you had encrypted the root partition. Second, once you unencrypt /home, it is all open until you shutdown, meaning that after suspend you are only protected by the lock-screen. Also, you cannot use you laptop in an untrusted environment without having your sensitive data exposed.
There is another option, which I haven't tested, new for opensuse 10.3, that encrypts the home of a single user. It is done from the user management module. You can have pain users and encrypted users, and each one with a separate data space.
If it is what I think, it creates an encripted filesystem on a file mounted on a loop in /home/USER- so you have to choose how much space to give it beforehand. The opensuse manual explains it, I think.
I am testing this right now. I only really need to encrypt one directory, which contains sensitive (under NDA), data and perhaps my Mail dir. So I created a crypt file under /home with 5GB (enough for the data; I need another one of these for my Mail) and mounted it to the top level sensitive directory in my home. If I just hit Enter 3 times without giving the passphrase, I can still use the laptop normally. The directory is there empty (actually it has now a file called NOTMOUNTED.txt to help me notice it is not mounted, since I once forgot and started copying data into the plain mounting point; this file does not show up if the encrypted loop-file is mounted.), if I want to use the laptop without exposing it. I just noticed in "man crypttab" that you can add an option "noauto" in /etc/crypttab, so that the boot process is not interrupted by the ugly text based passphrase question. I am going to try that. To mount and unmount the encrypted directories, you run as root: /etc/rc.d/boot.cryto restart /etc/rc.d/boot.crypto stop respectively. Ideally, I would like the mounting and unmounting to be more convenient, maybe from within Konqueror, and that the crypto files are unmounted automatically at suspend (can I add that to /etc/pm/sleep.d ?). -- Carlos FL Who is General Failure, and why is he reading my disk? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2007-12-27 at 12:44 -0700, Carlos F Lange wrote: ...
The easiest way is to start the yast partitioner module, and tell it to format a partition as ext3 encrypted. It will ask for the passphrase (better be long), and it will encrypt the partition - which can be /home, of course. Of course, it is a "format" tool, you loose any data on it, but that can't be helped (copy it somewhere else, and work as root meanwhile).
This is what I would use to encrypt a large /home completely. But I would not recommend it. I tried this method first on my new laptop and I found that it has 2 disadvantages. If you let the password prompt time out or if you miss the password 3 times, you start a system without your /home. Obviously the mounting point /home is still there, but it is empty and you login into a fresh new environment created on the unencrypted root partition, which is highly inconvenient. It would be even worse, if you had encrypted the root partition.
True. Let me see, perhaps there is a workaround :-? You can use a script to detect if the partition has been mounted, and, for instance, make the system revert to runlevel 3. For instance, I use this to detect if an external drive has been mounted: MOUNT=`mount | grep /mnt/usb/usb_sg60` <======= I grep for mount point if ! test -n "$MOUNT" ; then echo "*** ERROR: No se pudo montar el dispositivo de respaldo en usb, abortando" echo echo $MOUNT exit fi I would insert this test in "/etc/init.d/xdm". If a third party picks the portable, it would be some time before they notice what is wrong ;-)
Second, once you unencrypt /home, it is all open until you shutdown, meaning that after suspend you are only protected by the lock-screen. Also, you cannot use you laptop in an untrusted environment without having your sensitive data exposed.
Yes, but that's true of almost any scheme. About the suspend... it is possible to encrypt swap. It uses some kind of automatic password. I think it use is to deter somebody else from mounting the disk and reading the memory "in plain", but the key is there somehow, in order to be automatic.
There is another option, which I haven't tested, new for opensuse 10.3, that encrypts the home of a single user. It is done from the user management module. You can have pain users and encrypted users, and each one with a separate data space.
If it is what I think, it creates an encripted filesystem on a file mounted on a loop in /home/USER- so you have to choose how much space to give it beforehand. The opensuse manual explains it, I think.
I am testing this right now. I only really need to encrypt one directory, which contains sensitive (under NDA), data and perhaps my Mail dir. So I created a crypt file under /home with 5GB (enough for the data; I need another one of these for my Mail) and mounted it to the top level sensitive directory in my home. If I just hit Enter 3 times without giving the passphrase, I can still use the laptop normally. The directory is there empty (actually it has now a file called NOTMOUNTED.txt to help me notice it is not mounted, since I once forgot and started copying data into the plain mounting point; this file does not show up if the encrypted loop-file is mounted.), if I want to use the laptop without exposing it.
Yep, "known" thing. I always create an empty file named "notmounted" into all my mount points.
I just noticed in "man crypttab" that you can add an option "noauto" in /etc/crypttab, so that the boot process is not interrupted by the ugly text based passphrase question. I am going to try that.
Yes, it works, I use it. But do you use those for the "per user" encrypted directories? I don't like that too much.
To mount and unmount the encrypted directories, you run as root: /etc/rc.d/boot.cryto restart /etc/rc.d/boot.crypto stop respectively.
Ideally, I would like the mounting and unmounting to be more convenient, maybe from within Konqueror, and that the crypto files are unmounted automatically at suspend (can I add that to /etc/pm/sleep.d ?).
There is a type of encrypted filesystems, use for instance on external usb drives, that automatically request the password when plugged on. They use "LUKS" (I'm writing from memory), and the encryption information is written in to the header of the filesystem. I believe KDE handles them transparently. I hopped the per user encrypted homes would be handled similarly :-? About umounting when suspending, yes, it is possible, with a snag: if a file is open at that moment, umounting fails. You could then reject suspend or continue, but I don't know if it would be possible to ask the user: the script will have to use one or the other method with no questions. Plus, a program like OOo may have an unencrypted temporary version of the file (in /tmp, perhaps; dunno). - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHdOKOtTMYHG2NR9URApgCAKCKzBgRx63dDEb/3Lh2cR87V3j6wACggOwj GsFeFcvcK+rWMyBz5YZHZe8= =0r/U -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kai Ponte wrote:
I have been studying the article at http://en.opensuse.org/Encrypted_Root_File_System_with_SUSE_HOWTO as to how to encrypt the root partition when installing.
I'm about to upgrade my main laptop from 10.2 to 10.3 and plan to encrypt both root and /home.
Encrypting root sounds like a very bad idea. load fire! aim Same thing applies for anything outside of /home and/or a /data filesystem.
I do have a live CD so I can use this instead of the method described in the article. Any ideas how I'd go about it?
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Aaron Kulkis -
Carlos E. R. -
Carlos F Lange -
Kai Ponte