-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Thursday 2007-12-27 at 12:44 -0700, Carlos F Lange wrote:
...
The easiest way is to start the yast partitioner module, and tell it
to format a partition as ext3 encrypted. It will ask for the
passphrase (better be long), and it will encrypt the partition -
which can be /home, of course. Of course, it is a "format" tool, you
loose any data on it, but that can't be helped (copy it somewhere
else, and work as root meanwhile).
This is what I would use to encrypt a large /home completely. But I
would not recommend it. I tried this method first on my new laptop and
I found that it has 2 disadvantages. If you let the password prompt
time out or if you miss the password 3 times, you start a system
without your /home. Obviously the mounting point /home is still there,
but it is empty and you login into a fresh new environment created on
the unencrypted root partition, which is highly inconvenient. It would
be even worse, if you had encrypted the root partition.
True.
Let me see, perhaps there is a workaround :-?
You can use a script to detect if the partition has been mounted, and, for
instance, make the system revert to runlevel 3.
For instance, I use this to detect if an external drive has been mounted:
MOUNT=`mount | grep /mnt/usb/usb_sg60` <======= I grep for mount point
if ! test -n "$MOUNT" ; then
echo "*** ERROR: No se pudo montar el dispositivo de respaldo en usb,
abortando"
echo
echo $MOUNT
exit
fi
I would insert this test in "/etc/init.d/xdm". If a third party picks the
portable, it would be some time before they notice what is wrong ;-)
Second, once you unencrypt /home, it is all open until you shutdown,
meaning that after suspend you are only protected by the lock-screen.
Also, you cannot use you laptop in an untrusted environment without
having your sensitive data exposed.
Yes, but that's true of almost any scheme.
About the suspend... it is possible to encrypt swap. It uses some kind of
automatic password. I think it use is to deter somebody else from mounting
the disk and reading the memory "in plain", but the key is there somehow,
in order to be automatic.
There is another option, which I haven't tested, new for opensuse
10.3, that encrypts the home of a single user. It is done from the
user management module. You can have pain users and encrypted users,
and each one with a separate data space.
If it is what I think, it creates an encripted filesystem on a file
mounted on a loop in /home/USER- so you have to choose how much space
to give it beforehand. The opensuse manual explains it, I think.
I am testing this right now. I only really need to encrypt one
directory, which contains sensitive (under NDA), data and perhaps my
Mail dir. So I created a crypt file under /home with 5GB (enough for
the data; I need another one of these for my Mail) and mounted it to
the top level sensitive directory in my home. If I just hit Enter 3
times without giving the passphrase, I can still use the laptop
normally. The directory is there empty (actually it has now a file
called NOTMOUNTED.txt to help me notice it is not mounted, since I once
forgot and started copying data into the plain mounting point; this
file does not show up if the encrypted loop-file is mounted.), if I
want to use the laptop without exposing it.
Yep, "known" thing. I always create an empty file named "notmounted" into
all my mount points.
I just noticed in "man
crypttab" that you can add an option "noauto" in /etc/crypttab, so that
the boot process is not interrupted by the ugly text based passphrase
question. I am going to try that.
Yes, it works, I use it.
But do you use those for the "per user" encrypted directories? I don't
like that too much.
To mount and unmount the encrypted directories, you run as root:
/etc/rc.d/boot.cryto restart
/etc/rc.d/boot.crypto stop
respectively.
Ideally, I would like the mounting and unmounting to be more convenient,
maybe from within Konqueror, and that the crypto files are unmounted
automatically at suspend (can I add that to /etc/pm/sleep.d ?).
There is a type of encrypted filesystems, use for instance on external usb
drives, that automatically request the password when plugged on. They use
"LUKS" (I'm writing from memory), and the encryption information is
written in to the header of the filesystem.
I believe KDE handles them transparently.
I hopped the per user encrypted homes would be handled similarly :-?
About umounting when suspending, yes, it is possible, with a snag: if a
file is open at that moment, umounting fails. You could then reject
suspend or continue, but I don't know if it would be possible to ask the
user: the script will have to use one or the other method with no
questions.
Plus, a program like OOo may have an unencrypted temporary version of the
file (in /tmp, perhaps; dunno).
- --
Cheers,
Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iD8DBQFHdOKOtTMYHG2NR9URApgCAKCKzBgRx63dDEb/3Lh2cR87V3j6wACggOwj
GsFeFcvcK+rWMyBz5YZHZe8=
=0r/U
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
