Oops, didn't reply to list. -------- Original Message -------- Subject: Re: [opensuse] Cautionary tale re encrypted HOME directory Date: Tue, 31 Jan 2012 17:39:52 +1100 From: Tim Serong <tserong@suse.com> To: Basil Chupin <blchupin@iinet.net.au> On 01/31/2012 05:27 PM, Basil Chupin wrote:

On 31/01/12 17:02, Tim Serong wrote:

...

On 01/31/2012 04:52 PM, Anders Johansson wrote:

...

On Tuesday 31 January 2012 15:14:30 Tim Serong wrote:

...

The story is different if you specifically encrypt a file with GPG (or whatever) then copy that encrypted file elsewhere.

This is an important difference between block-level and file-level operations.

You really don't want to have file level encryption on your entire /home. You would need to enter your encryption key every time a file was opened. Once for .bashrc, once for .bash_history, once for .profile etc etc etc.

A scheme like that would last exactly 5.4 seconds, then you'd reformat with something sane

Good point :)

It's worth mentioning, you can (or should be able to somehow - I haven't tried lately) do block-level encryption on an external hard disk, same as you can for a disk/partition that's physically inside your system. So, backup files to the encrypted block device from your encrypted /home partition, and life is (or should be) good/sane.

I like this idea very much.

Can you suggest how this could be achieved considering that I am using an external USB HDD which, at the moment, is totally formatted in ntfs (Ok, no drama in splitting it into 2 halves as before with 50% ntfs and 50% ext4)? Thanks muchly.

Off the top of my head - you'd probably have to reformat/repartition it. I don't know if there's an option to encrypt an existing volume. The yast partitioner applet(?) should give you an "encrypt volume" option when creating a new partition. HTH, Tim -- Tim Serong Senior Clustering Engineer SUSE tserong@suse.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org