Best practices to encrypt file system

I have been reading a lot about file system encryption both in this forums and in more general-purpose linux media, but I haven’t found a clear answer.
I see that, in the past, YAST had an entry to encrypt the home of a user. I also know that, during installation, one can choose to encrypt his home.
If today one wants to encrypt an already existing home, I see there are multiple options with various degrees of convenience and various attached problems.

So my question is this: if I have an already installed system (my laptop) with no encryption, what is the best route to add encryption?

First part: is it best to encrypt the whole system or to encrypt only my home? I guess encrypting the whole system would require reinstalling though, and I do not want to do it.

Second part: if I want to only encrypt my home (I have a separate partition for home, which mounts on the /home mount-point) which is the best way? When I say “best”, I’d like to know both if there’s an officially supported way of doing this (since it has been removed from Yast, I’m not sure there is a supported method), and which method is the most convenient (easy to apply, avoid having to retype passwords at login, possibility to periodically change password etc.)

Thank you in advance
Cris

While your question is valid, what you say is a bit confusing. You do much talking about “my home”. This is unclear. There is /home, which is often a separate file system that contains normaly the home directories of most users (and thus leads itself to encrypting of that file system/partition, and there is the (several) home directories of that/those user(s), for which there may be methods to encrypt a home directory (or part of it).
The “my” should be avoided.

This to make sure that you and your readers have the same notion about what the words you use mean.

You’re right Henk, sorry for the confusion.
I was referring to the encryption of the home partition, which is mounted to the /home mount-point, and that may contain more than one home directory.

Cris

First, I’ll describe what I do.

I install with an encrypted LVM. So the LVM contains three volumes – home, root, swap. They are all part of a single partition (the physical volume on which the LVM is built). The partition is encrypted. The one passphrase thus handles all.

However, I first played around with other ways of encrypting. And I switched to encrypted LVM when installing the next version (that was probably for openSUSE 11.4 way back whenever).

Now back to your case. Ideally, you should encrypt swap as well as your home directory. And you can do that without reinstalling.

Install “ecryptfs-utils”.
After installing, as root: run the command:

pam-config -a --ecryptfs

That is so that ecryptfs will be activated during login.

While you still have that root command line, run:

modprobe ecryptfs

This should not be needed, but sometimes it helps before setting things up.

Now, as an ordinary user (yourself in your logged in session), run the command:

ecryptfs-setup-private

That will prompt for your login password. And it will then create a subdirectory “Private” under your home directory. And everything in that Private subdirectory will be encrypted.

You might now need to run

ecryptfs-mount-private

to make that directory accessible. That will again ask for your login password.

Once that is all done, logout – maybe even reboot. And then login again. Your “Private” subdirectory should now be available to you, setup as part of your login. Hmm, that won’t work if you are set for autologin, so best to turn that off. But if you are using autologin, then you will need to run “ecryptfs-mount-private” after login. If you do not use autologin, that should now be automatic.

Possibly an encrypted private directory is already enough. But, if you need more, you can make your entire home directory the private directory. The “ecryptfs-migrate-home” command should do that, but it probably needs to be run by root. Try “man ecryptfs-migrate-home” for details. That man page won’t be available until you install “ecryptfs-utils”.

The one problem with this, is that “ecryptfs” works by keeping a copy of the unencrypted data in memory. And that can get swapped out to your swap partition. So you really need encrypted swap to go along with this.

There are two ways of handling encrypted swap. If you never hibernate, you can just run “ecryptfs-setup-swap” (as root). That will setup encrypted swap (after the next boot). Swap will be encrypted with a random encryption key, so you won’t need to enter a key. But hibernate won’t work (you won’t be able to resume from hibernation).

The other way of handling encrypted swap is to use LUKS encryption, so you will be prompted for a key on each boot. Hibernation will still work. Since there is nothing important in swap, this can be done without reinstall. But it is a bit tricky.

My best advice: Try ecryptfs with a private encrypted directory for now. Keep important files there. And put off everything else until you are ready to reinstall. Then, when you are ready to reinstall, go with an encrypted LVM. You can continue to use “ecrypfs” even with an encrypted LVM, for those few files that need an extra level of protection.

I hope that help. Feel free to ask more questions.

Hi nrickert!
First of all, THANK YOU very much for this detailed explanation! I had already read about it in this thread.

This is a very interesting approach, and I may apply that the next time I’ll do an installation (but since I’m using Tumbleweed, that may not happen for a few years).
On a side note: do you use BTRFS? Does it play well with LVM? (I know almost nothing about LVM so forgive me if this is a stupid question)

In keeping with what Henk said: when you say “encrypt your home directory” does it mean that I will be encrypting the whole home partition or only my home directory (say /home/cristiano) ?

It does help, thank you!

I may follow your instructions and encrypt my home directory and the swap partition with ecryptfs.
OTOH, I’d still like to know if there is an openSUSE officially supported way of encrypting either the whole system or the home partition.
As I understand from your other thread, the one you suggest is the officially supported way of Ubuntu.

Cris

Currently, I’m using “ext4”. However, I have tried “btrfs”, and it works fine witn an LVM.

In keeping with what Henk said: when you say “encrypt your home directory” does it mean that I will be encrypting the whole home partition or only my home directory (say /home/cristiano) ?

When I suggested “ecryptfs”, that would be only for the home directory. But normally, I prefer the entire “/home” file system to be encrypted.

Some perspective, however. With “/home” encrypted, I have to be there when booting the system. If I want it to be able to boot unattended (so without giving a password), then I would encrypt just the home directory.

I may follow your instructions and encrypt my home directory and the swap partition with ecryptfs.
OTOH, I’d still like to know if there is an openSUSE officially supported way of encrypting either the whole system or the home partition.

Using an encrypted LVM is actually pretty well supported. During install, in the partitioning section, there is a “Guided” button. Use that, and one of the choices will be to use an LVM. And once you make that choice, you can then encrypt it (the entire LVM). Additionally, the installer supports installing into an already existing encrypted LVM, but you do need to use the expert partitioner for that. This is important on re-install.

As I understand from your other thread, the one you suggest is the officially supported way of Ubuntu.

Yes, if you install Ubuntu as configure an encrypted home directory, that will use “ecryptfs”.

Hi, I just want to point at a possible bug in the package …

I just finished installing it. This is what I got at first:

cristiano@xmper8q3 ~]$ sudo zypper in ecryptfs-utils 
[sudo] password di root: 
Caricamento dati del repository in corso...
Lettura dei pacchetti installati in corso...
Risoluzione dipendenze dei pacchetti in corso...

I seguenti 13 NUOVI pacchetti verranno installati:
  ecryptfs-utils ecryptfs-utils-32bit libecryptfs1 libecryptfs1-32bit libfreebl3-32bit libpkcs11-helper1-32bit libsoftokn3-32bit libtspi1 libtspi1-32bit mozilla-nspr-32bit
  mozilla-nss-32bit mozilla-nss-certs-32bit trousers

13 nuovi pacchetti da installare.
Dimensione complessiva del download: 2,7 MiB. Già nella cache: 0 B. Dopo l'operazione, saranno utilizzati altri 6,6 MiB.
Continuare? [s/n/v/...? mostra tutte le opzioni] (s): 
Recupero di pacchetto libecryptfs1-111-2.4.x86_64                                                                                                   (1/13),  40,2 KiB (141,7 KiB estratto)
Recupero di: libecryptfs1-111-2.4.x86_64.rpm .......................................................................................................................................[fine]
Recupero di pacchetto libfreebl3-32bit-3.42.1-1.1.x86_64                                                                                            (2/13), 241,1 KiB (527,9 KiB estratto)
Recupero di: libfreebl3-32bit-3.42.1-1.1.x86_64.rpm ................................................................................................................................[fine]
Recupero di pacchetto libpkcs11-helper1-32bit-1.25.1-1.1.x86_64                                                                                     (3/13),  50,0 KiB (129,9 KiB estratto)
Recupero di: libpkcs11-helper1-32bit-1.25.1-1.1.x86_64.rpm .........................................................................................................................[fine]
Recupero di pacchetto libtspi1-32bit-0.3.14-4.2.x86_64                                                                                              (4/13), 166,4 KiB (549,1 KiB estratto)
Recupero di: libtspi1-32bit-0.3.14-4.2.x86_64.rpm ..................................................................................................................................[fine]
Recupero di pacchetto mozilla-nspr-32bit-4.20-1.2.x86_64                                                                                            (5/13), 122,1 KiB (299,0 KiB estratto)
Recupero di: mozilla-nspr-32bit-4.20-1.2.x86_64.rpm ................................................................................................................................[fine]
Recupero di pacchetto trousers-0.3.14-4.2.x86_64                                                                                                    (6/13), 605,1 KiB (881,9 KiB estratto)
Recupero di: trousers-0.3.14-4.2.x86_64.rpm ..........................................................................................................................[fine (963,3 KiB/s)]
Recupero di pacchetto mozilla-nss-certs-32bit-3.42.1-1.1.x86_64                                                                                     (7/13), 223,3 KiB (408,0 KiB estratto)
Recupero di: mozilla-nss-certs-32bit-3.42.1-1.1.x86_64.rpm .........................................................................................................................[fine]
Recupero di pacchetto libtspi1-0.3.14-4.2.x86_64                                                                                                    (8/13), 149,4 KiB (465,5 KiB estratto)
Recupero di: libtspi1-0.3.14-4.2.x86_64.rpm ........................................................................................................................................[fine]
Recupero di pacchetto mozilla-nss-32bit-3.42.1-1.1.x86_64                                                                                           (9/13), 721,8 KiB (  2,1 MiB estratto)
Recupero di: mozilla-nss-32bit-3.42.1-1.1.x86_64.rpm .................................................................................................................[fine (378,1 KiB/s)]
Recupero di pacchetto ecryptfs-utils-111-2.4.x86_64                                                                                                (10/13), 126,5 KiB (532,9 KiB estratto)
Recupero di: ecryptfs-utils-111-2.4.x86_64.rpm .....................................................................................................................................[fine]
Recupero di pacchetto libsoftokn3-32bit-3.42.1-1.1.x86_64                                                                                          (11/13), 222,5 KiB (450,2 KiB estratto)
Recupero di: libsoftokn3-32bit-3.42.1-1.1.x86_64.rpm ...............................................................................................................................[fine]
Recupero di pacchetto libecryptfs1-32bit-111-2.4.x86_64                                                                                            (12/13),  43,0 KiB (119,7 KiB estratto)
Recupero di: libecryptfs1-32bit-111-2.4.x86_64.rpm .................................................................................................................................[fine]
Recupero di pacchetto ecryptfs-utils-32bit-111-2.4.x86_64                                                                                          (13/13),  34,3 KiB (138,3 KiB estratto)
Recupero di: ecryptfs-utils-32bit-111-2.4.x86_64.rpm ...............................................................................................................................[fine]
Controllo dei conflitti tra file: ..................................................................................................................................................[fine]
( 1/13) Installazione di: libecryptfs1-111-2.4.x86_64 ..............................................................................................................................[fine]
( 2/13) Installazione di: libfreebl3-32bit-3.42.1-1.1.x86_64 .......................................................................................................................[fine]
( 3/13) Installazione di: libpkcs11-helper1-32bit-1.25.1-1.1.x86_64 ................................................................................................................[fine]
( 4/13) Installazione di: libtspi1-32bit-0.3.14-4.2.x86_64 .........................................................................................................................[fine]
( 5/13) Installazione di: mozilla-nspr-32bit-4.20-1.2.x86_64 .......................................................................................................................[fine]
( 6/13) Installazione di: trousers-0.3.14-4.2.x86_64 ...............................................................................................................................[fine]
( 7/13) Installazione di: mozilla-nss-certs-32bit-3.42.1-1.1.x86_64 ................................................................................................................[fine]
( 8/13) Installazione di: libtspi1-0.3.14-4.2.x86_64 ...............................................................................................................................[fine]
( 9/13) Installazione di: mozilla-nss-32bit-3.42.1-1.1.x86_64 ......................................................................................................................[fine]
(10/13) Installazione di: ecryptfs-utils-111-2.4.x86_64 ............................................................................................................................[fine]
Output aggiuntivo di rpm:
setting /sbin/mount.ecryptfs_private to root:root 4755. (wrong permissions 0755)                                                                                                          
ERROR: module /lib/security/pam_ecryptfs.so is not installed.                                                                                                                             
warning: %post(ecryptfs-utils-111-2.4.x86_64) scriptlet failed, exit status 1


(11/13) Installazione di: libsoftokn3-32bit-3.42.1-1.1.x86_64 ......................................................................................................................[fine]
(12/13) Installazione di: libecryptfs1-32bit-111-2.4.x86_64 ........................................................................................................................[fine]
(13/13) Installazione di: ecryptfs-utils-32bit-111-2.4.x86_64 ......................................................................................................................[fine]
Esecuzione degli script %posttrans .................................................................................................................................................[fine]
cristiano@xmper8q3 ~]$ 

I thought about the possibility that it was simply due to a wrong installation order, so I tried to reinstall that single package:

cristiano@xmper8q3 ~]$ sudo zypper in -f ecryptfs-utils-111-2.4
Caricamento dati del repository in corso...
Lettura dei pacchetti installati in corso...
Forzatura dell'installazione di 'ecryptfs-utils-111-2.4.x86_64' dal repository 'repo-oss'.
Risoluzione dipendenze dei pacchetti in corso...

Il seguente pacchetto verrà re-installato:
  ecryptfs-utils

1 pacchetto da reinstallare.
Dimensione complessiva del download: 126,5 KiB. Già nella cache: 0 B. Dopo questa operazione non verrà utilizzato o liberato altro spazio su disco.
Continuare? [s/n/v/...? mostra tutte le opzioni] (s):
Recupero di pacchetto ecryptfs-utils-111-2.4.x86_64                                                                                                  (1/1), 126,5 KiB (532,9 KiB estratto)
Recupero di: ecryptfs-utils-111-2.4.x86_64.rpm .....................................................................................................................................[fine]
Controllo dei conflitti tra file: ..................................................................................................................................................[fine]
(1/1) Installazione di: ecryptfs-utils-111-2.4.x86_64 ..............................................................................................................................[fine]
Output aggiuntivo di rpm:
setting /sbin/mount.ecryptfs_private to root:root 4755. (wrong permissions 0755)


cristiano@xmper8q3 ~]$

It actually worked out well, but I don’t think this is how it is supposed to be.
Is it a bug in the dependencies of the package?

Cris

I never noticed that. But then I have usually installed “ecryptfs” with Yast rather than with “zypper”, and less information is shown that way.

However, there is a general problem. You install “ecryptfs”. Then you go to use it, and you get an error. You have to run “modprobe ecryprtfs” before things will work. So there’s some kind of error in loading the module.

However, that never repeats. I think doing the ecryptfs mount via pam always loads the module. But doing it at the command line “ecryptfs-mount-private” fails unless the module is already loaded. Perhaps that has to do with root permissions. Maybe a setuid process can’t automatically load a module, and it has to be done be a process really run by root.

Hi nrickert, just a little followup on this.

I finally had the time to follow your guide. I encrypted my home by using the ecryptfs-migrate-home script and everything is working beautifully!

I had some more work to do because I have a Dropbox loopback mount (see this guide on how to keep using Dropbox even if you’re not on ext4). I used to mount Dropbox at boot, but now I can’t because my home is not available until I login. So, this was a nice way of learning something new.

I searched for a good way to mount filesystems at login time, and found this very interesting reply, which led me to investigate and learn a lot on systemd’s user units.

Just my 2 cents :slight_smile:
Cris

I’m glad to hear that.

And thanks for those pointers on using Dropbox.