Re: [gentoo-user] crypt my home repository
On Mon, Jan 2, 2012 at 10:07 AM, Stéphane Guedon steph...@22decembre.euwrote: Hi all I may ask something already discussed, but I can't find any good documentation. I am wondering of how to secure my home repository on my laptop. I am thinking of cryptography and other things (the password uncrypt the repository and allows to read files...). What tool to use for ? Anybody knows a good doc (in french would be really good) ? I am not really paranoïd, but I work now in a quite important environnement and want any data I get out to be secured... -- Stéphane Guedon http://www.22decembre.eu/ http://lectures.22decembre.eu/ carte de visite : http://www.22decembre.eu/downloads/Stephane-Guedon.vcf You can use 'encfs'. It is really trivial. You need to create a directory where you will put the encrypted files like this: encfs ~/.encdir ~/workdir Read this for a lot more info: http://movingtofreedom.org/2007/02/21/howto-encfs-encrypted-file-system-in-ubuntu-and-fedora-gnu-linux/ But, what I told you is basically what you need. Regards, Kfir
Re: [gentoo-user] crypt my home repository
Am 02.01.2012 09:07, schrieb Stéphane Guedon: Hi all I may ask something already discussed, but I can't find any good documentation. I am wondering of how to secure my home repository on my laptop. I am thinking of cryptography and other things (the password uncrypt the repository and allows to read files...). What tool to use for ? Anybody knows a good doc (in french would be really good) ? I am not really paranoïd, but I work now in a quite important environnement and want any data I get out to be secured... I recommend dm-crypt (a.k.a. cryptsetup-luks). It encrypts the block device under the actual file system. Gentoo wiki has some tutorials on it (although you don't need much of it): [1] [2] If you only want to encrypt your home partition, you only need to follow these steps: 1. Create an encrypted partition (see `man cryptsetup`) 2. Move /home/* over to it (don't forget backup) 3. Configure /etc/conf.d/dmcrypt 4. Add /etc/init.d/dmcrypt to boot runlevel Then the init script will ask you for the password at boot. dm-crypt allows multiple passwords per partition so that different users can have different passwords. The alternative to the dmcrypt init script is to use sys-auth/pam_mount. It allows you to use the login password to automatically decrypt a partition and mount it as /home/$user. [2] has a section about it. However, this breaks easily and is pretty hard to administrate if you have no experience with dm-crypt and pam. I recommend the first solution. [1] http://en.gentoo-wiki.com/wiki/SECURITY_System_Encryption_DM-Crypt_with_LUKS [2] http://en.gentoo-wiki.com/wiki/DM-Crypt Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] crypt my home repository
Am 02.01.2012 11:49, schrieb Florian Philipp: Am 02.01.2012 09:07, schrieb Stéphane Guedon: Hi all I may ask something already discussed, but I can't find any good documentation. I am wondering of how to secure my home repository on my laptop. I am thinking of cryptography and other things (the password uncrypt the repository and allows to read files...). What tool to use for ? Anybody knows a good doc (in french would be really good) ? I am not really paranoïd, but I work now in a quite important environnement and want any data I get out to be secured... I recommend dm-crypt (a.k.a. cryptsetup-luks). It encrypts the block device under the actual file system. Gentoo wiki has some tutorials on it (although you don't need much of it): [1] [2] If you only want to encrypt your home partition, you only need to follow these steps: 1. Create an encrypted partition (see `man cryptsetup`) 2. Move /home/* over to it (don't forget backup) 3. Configure /etc/conf.d/dmcrypt 4. Add /etc/init.d/dmcrypt to boot runlevel 5. Add it to /etc/fstab (the 'target=' line in /etc/conf.d/dmcrypt specifies the name). [...] I recommend testing it with some easily recoverable file system like /var/tmp or /usr/src/portage. signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] crypt my home repository
On Monday 02 January 2012 11:49:11 Florian Philipp wrote: Am 02.01.2012 09:07, schrieb Stéphane Guedon: Hi all I may ask something already discussed, but I can't find any good documentation. I am wondering of how to secure my home repository on my laptop. I am thinking of cryptography and other things (the password uncrypt the repository and allows to read files...). What tool to use for ? Anybody knows a good doc (in french would be really good) ? I am not really paranoïd, but I work now in a quite important environnement and want any data I get out to be secured... I recommend dm-crypt (a.k.a. cryptsetup-luks). It encrypts the block device under the actual file system. Gentoo wiki has some tutorials on it (although you don't need much of it): [1] [2] If you only want to encrypt your home partition, you only need to follow these steps: 1. Create an encrypted partition (see `man cryptsetup`) 2. Move /home/* over to it (don't forget backup) 3. Configure /etc/conf.d/dmcrypt 4. Add /etc/init.d/dmcrypt to boot runlevel Then the init script will ask you for the password at boot. dm-crypt allows multiple passwords per partition so that different users can have different passwords. The alternative to the dmcrypt init script is to use sys-auth/pam_mount. It allows you to use the login password to automatically decrypt a partition and mount it as /home/$user. [2] has a section about it. However, this breaks easily and is pretty hard to administrate if you have no experience with dm-crypt and pam. I recommend the first solution. [1] http://en.gentoo-wiki.com/wiki/SECURITY_System_Encryption_DM-Crypt_with_LUK S [2] http://en.gentoo-wiki.com/wiki/DM-Crypt Regards, Florian Philipp Is this solution (the first one) easily integrated into some environnement (kde) ? I don't want to have numerous password (one for decrypt, one other to open the desktop session as usual...), plus my wife would argue with some reason I am always hacking the computer whereas we are just using it to look movies... (she uses the computer also, but in a much more used way, so any solution has to be comfortable to her too !) -- Stéphane Guedon http://www.22decembre.eu/ http://lectures.22decembre.eu/ carte de visite : http://www.22decembre.eu/downloads/Stephane-Guedon.vcf signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] crypt my home repository
Am 02.01.2012 12:36, schrieb Stéphane Guedon: On Monday 02 January 2012 11:49:11 Florian Philipp wrote: Am 02.01.2012 09:07, schrieb Stéphane Guedon: Hi all I may ask something already discussed, but I can't find any good documentation. I am wondering of how to secure my home repository on my laptop. I am thinking of cryptography and other things (the password uncrypt the repository and allows to read files...). What tool to use for ? Anybody knows a good doc (in french would be really good) ? I am not really paranoïd, but I work now in a quite important environnement and want any data I get out to be secured... I recommend dm-crypt (a.k.a. cryptsetup-luks). It encrypts the block device under the actual file system. Gentoo wiki has some tutorials on it (although you don't need much of it): [1] [2] If you only want to encrypt your home partition, you only need to follow these steps: 1. Create an encrypted partition (see `man cryptsetup`) 2. Move /home/* over to it (don't forget backup) 3. Configure /etc/conf.d/dmcrypt 4. Add /etc/init.d/dmcrypt to boot runlevel Then the init script will ask you for the password at boot. dm-crypt allows multiple passwords per partition so that different users can have different passwords. The alternative to the dmcrypt init script is to use sys-auth/pam_mount. It allows you to use the login password to automatically decrypt a partition and mount it as /home/$user. [2] has a section about it. However, this breaks easily and is pretty hard to administrate if you have no experience with dm-crypt and pam. I recommend the first solution. [1] http://en.gentoo-wiki.com/wiki/SECURITY_System_Encryption_DM-Crypt_with_LUK S [2] http://en.gentoo-wiki.com/wiki/DM-Crypt Regards, Florian Philipp Is this solution (the first one) easily integrated into some environnement (kde) ? I don't want to have numerous password (one for decrypt, one other to open the desktop session as usual...), plus my wife would argue with some reason I am always hacking the computer whereas we are just using it to look movies... (she uses the computer also, but in a much more used way, so any solution has to be comfortable to her too !) Well, it is partially integrated: When it is not /home/* but some other partition/external disk, then KDE supports decrypting it when you mount it (like memory sticks). It can also save the password in kwallet. Gnome can do the same. However, if you want to use it for /home/* and don't want to enter the password twice, you should use pam_mount. One alternative: the dmcrypt init script also supports key files. I believe it is possible to put a key file on an USB stick and the init script waits until the stick is attached, then mounts it and uses the file to decrypt the partition. It's a poor man's smartcard, just without a PIN. That way, you don't need to enter the password, just take care of that stick. You can also encrypt the key file with GPG, but then you need to enter the password for that file. Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] crypt my home repository
On Mon, 02 Jan 2012 13:37:12 +0100, Florian Philipp wrote: Well, it is partially integrated: When it is not /home/* but some other partition/external disk, then KDE supports decrypting it when you mount it (like memory sticks). It can also save the password in kwallet. Gnome can do the same. However, if you want to use it for /home/* and don't want to enter the password twice, you should use pam_mount. Alternatively, if you are using dmcrypt to encrypt /home, and you are the only user, set KDE to auto-login that user. The login will fail if dmcrypt failed to open your home partition, so one password effectively secures it all. -- Neil Bothwick What did the first man to discover you can get milk from cows think he was doing? - anon. signature.asc Description: PGP signature
Re: [gentoo-user] crypt my home repository
On Monday 02 January 2012 13:58:03 Neil Bothwick wrote: On Mon, 02 Jan 2012 13:37:12 +0100, Florian Philipp wrote: Well, it is partially integrated: When it is not /home/* but some other partition/external disk, then KDE supports decrypting it when you mount it (like memory sticks). It can also save the password in kwallet. Gnome can do the same. However, if you want to use it for /home/* and don't want to enter the password twice, you should use pam_mount. Alternatively, if you are using dmcrypt to encrypt /home, and you are the only user, set KDE to auto-login that user. The login will fail if dmcrypt failed to open your home partition, so one password effectively secures it all. I am not the only user ! -- Stéphane Guedon http://www.22decembre.eu/ http://lectures.22decembre.eu/ carte de visite : http://www.22decembre.eu/downloads/Stephane-Guedon.vcf signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] crypt my home repository
On Mon, 2 Jan 2012 14:12:31 +0100, Stéphane Guedon wrote: Alternatively, if you are using dmcrypt to encrypt /home, and you are the only user, set KDE to auto-login that user. The login will fail if dmcrypt failed to open your home partition, so one password effectively secures it all. I am not the only user ! In that case, you probably want to use encfs to encrypt each home directory separately. dmcrypt works on block devices, so a single home partition would have a single password. -- Neil Bothwick With free advice you often get what you pay for. signature.asc Description: PGP signature
Re: [gentoo-user] crypt my home repository
Am 02.01.2012 14:29, schrieb Neil Bothwick: On Mon, 2 Jan 2012 14:12:31 +0100, Stéphane Guedon wrote: Alternatively, if you are using dmcrypt to encrypt /home, and you are the only user, set KDE to auto-login that user. The login will fail if dmcrypt failed to open your home partition, so one password effectively secures it all. I am not the only user ! In that case, you probably want to use encfs to encrypt each home directory separately. dmcrypt works on block devices, so a single home partition would have a single password. dmcrypt supports multiple simultaneous passwords (I think 4 or something like that). Of course, then every user can unlock every home directory and auto-login is a no-go anyway. signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] crypt my home repository
On Monday 02 January 2012 09:07:49 Stéphane Guedon wrote: Hi all I may ask something already discussed, but I can't find any good documentation. I am wondering of how to secure my home repository on my laptop. I am thinking of cryptography and other things (the password uncrypt the repository and allows to read files...). What tool to use for ? Anybody knows a good doc (in french would be really good) ? I am not really paranoïd, but I work now in a quite important environnement and want any data I get out to be secured... Actually, there's ecryptfs, which is the one I was thinking but I didn't remember at the beginning. But It's quite hard to use with the doc I find ! -- Stéphane Guedon http://www.22decembre.eu/ http://lectures.22decembre.eu/ carte de visite : http://www.22decembre.eu/downloads/Stephane-Guedon.vcf signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] crypt my home repository
On Mon, 02 Jan 2012 15:26:10 +0100, Florian Philipp wrote: In that case, you probably want to use encfs to encrypt each home directory separately. dmcrypt works on block devices, so a single home partition would have a single password. dmcrypt supports multiple simultaneous passwords (I think 4 or something like that). Of course, then every user can unlock every home directory Which is why I recommended ecryptfs (I've only just noticed that the previous posts mentioned encfs, that's a FUSE filesystem that is unnecessary now the kernel have ecryptfs included). It's not the multiple passwords, it's separately locking each user's data. -- Neil Bothwick Guillotine operator wanted. Chance to get ahead. signature.asc Description: PGP signature
Re: [gentoo-user] crypt my home repository
On Mon, Jan 2, 2012 at 7:06 PM, Neil Bothwick n...@digimed.co.uk wrote: On Mon, 02 Jan 2012 15:26:10 +0100, Florian Philipp wrote: In that case, you probably want to use encfs to encrypt each home directory separately. dmcrypt works on block devices, so a single home partition would have a single password. dmcrypt supports multiple simultaneous passwords (I think 4 or something like that). Of course, then every user can unlock every home directory Which is why I recommended ecryptfs (I've only just noticed that the previous posts mentioned encfs, that's a FUSE filesystem that is unnecessary now the kernel have ecryptfs included). Thanks, I didn't know about that. I'll try that, as I'm using encfs, and basically it works flawlessly. But running without fuse, is better. Kfir It's not the multiple passwords, it's separately locking each user's data. -- Neil Bothwick Guillotine operator wanted. Chance to get ahead.
