The last time I tried this was with 9.04 (I think, maybe it was 8.10).
It sounds like there are some differences now.
I had reason to do a full reinstall recently as well. I went with
Kubuntu 10.10 and opted to encrypt the full drive. So I have to enter a
(really long!) pass phrase when I boot the computer, and then enter my
user credentials. All works fine, and I'm in the same boat as you - I'd
rather not mess with something that is doing the job I'm expecting it to.
I see one large flaw with the encryption - either full disk, or home
directory only. If you are logged in to the box, the encryption is
useless/meaningless. It does matter once you log out or cycle the power
though, and that is the goal. But you have to understand this subtlety
so that you make use of the encryption properly. To be even more
secure, one should make use of encrypted files (via TruCrypt maybe) and
encrypt all network traffic possible (https, or TOR).
My thoughts.
Shawn
On 10-12-20 10:09 PM, John Jardine wrote:
Hi,
I lost a drive today and that prompted a new install. I chose Ubuntu
10.10 x64 Desktop to check it out.
I configured it to have an encrypted home directory - not full disk
encryption.
I can reboot this machine and then ssh to it successfully. This is
counter to your experience. I can't explain what or why this is
different though.
I have not bothered to check the directory by booting from another disk
and checking it out - I'll leave that for the paranoid:)
I did pickup on one part of the install when it gave instructions on
access without logging in. I was asked to configure a secure passphrase
to use to manually access my home directory. It said to use a tool
'ecryptfs-unwrap-passphrase'.
I haven't messed with it yet - everything is still at the stage where
"it just works" so I'm loath to fix that:)
Cheers,
J.J.
On Sun, 2010-12-05 at 21:59 -0700, shawn wrote:
I tried the encrypted home directory and ran into problems with SSH to
that box via ssh keys. Which makes sense - the keys are encrypted and
can't be read until you login. But you can't login without the keys...
Guess it would make sense for a desktop that will be unlikely to be
connected TO via ssh. Either that or I missed a step somewhere.
I'm running Kubuntu 10.10 now with an encrypted drive. The install
process was pretty straight forward and everything is working as
expected (with a new *buntu install - sound issues, data migration,
etc.) I still want to encrypt a drive manually from the command line
just to learn the details, but the docs I've seen are old (2007ish or
earlier) and make a lot of assumptions about base knowledge making the
docs difficult to read.
Shawn
On 10-12-05 04:42 PM, Gustin Johnson wrote:
On Thu, Dec 2, 2010 at 11:12 PM, Shawn<[email protected]> wrote:
I'm looking for any decent links/how-to's for full disk encryption.
For truecrypt
http://www.truecrypt.org/docs/
Truecrypt also has an option for a secret hidden OS
On Ubuntu you can do it at install if you use the alternate install
CD. I used this a couple of times and it worked well. The encrypted
home directory is what I use now. The one issue is that if you have a
slight issue with your hard drive, and I mean slight, all the data is
pretty much toast. It does not even have to be a bad disk, just a
wrong bit flipped at the wrong time which happens more than you think
on modern hard drives. If done right data recovery is not possible.
_______________________________________________
clug-talk mailing list
[email protected]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
_______________________________________________
clug-talk mailing list
[email protected]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
_______________________________________________
clug-talk mailing list
[email protected]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying
