Best ways to encrypt running home partition?

English Open Chat
#1

I have read in manuals that encrypting a partition erases all data on it, ok, I understand why. Now I am interested in viable method to do it.

My disk layout is following:
sda1 /
sda2 swap
sda3 /home
sda4 ntfs

/home is quite large, but I dont have too much data on it. I do have large external drive, partition already backed/backing up with rsync so I have no problem of “loosing” data.

What would be the best way to encrypt home?

  1. rsync it, log in as root, encrypt partition, restore data with rsync?
  2. gzip it, move it, encrypt, restore?
    3…?
    4…?

Ah yes… one more thing is important, I would like it to be done to work seemlessly… something like, login and go. Should I use YaST for encprypting partition or something else?

oo yes… one more question.
If system breaks, whether me break it or whatever, installing new version, will encryption be working also, or will I have problems.

Sorry for this noob questions, but I never used encryption in this way. Only by TrueCrypt or similar.

Thanks

#2

I did a tar backup to an external drive. To do that, I logged in as root at a virtual console, switched to init level 3, so that the GUI was not running, then made the backup.

After creating the encrypted “/home”, I restored from the backup, again logged in as root at a virtual terminal.

I’ll note that you will have to give an encryption key at every boot, to make “/home” available.

While I was about it, I encrypted swap at the same time. Using yast, I did not specify an encryption key for swap. So it was set up with a random key, different every time, and with “mkswap” run on each boot. This probably prevents recovery from hibernation, which was okay for me.

Next, I setup “/tmp” to be mounted from swap (i.e. with “tmpfs”). That, together with the encrypted swap, protects temporary copies of sensitive data.

My current plan is to occasionally backup “/home” to an external drive. I won’t be encrpting the external drive, so that is my recovery data if I ever forget the password, or if something breaks.

I did not consider encrypting the root partition, mainly because of concern about recovery if the system breaks. Booting from a live disk, I could still access all system files. Presumably, I could also provide the key and mount “/home”, but that is rarely needed to fix a broken system.

Incidentally, it is working quite well.

#3

On 2011-04-11 01:36, beli0135 wrote:

> What would be the best way to encrypt home?
> 1. rsync it, log in as root, encrypt partition, restore data with
> rsync?

Yes.

> Ah yes… one more thing is important, I would like it to be done to
> work seemlessly… something like, login and go. Should I use YaST for
> encprypting partition or something else?

YaST.

>
> oo yes… one more question.
> If system breaks, whether me break it or whatever, installing new
> version, will encryption be working also, or will I have problems.

Who knows! You ask too much, too imprecise. Will my car break down? Will I
have an accident and be killed or maimed?


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

#4

@nrickert, wow… I am not that paranoid, LOL. It’s just a prevention of laptop theft. There is no one particulary targeting me and my data that swap should be targeted. Most common thiefs just steal to sell. But I thank you for the procedure that you wrote. Every day we learn something new. You have responded most of my questions.

@robin_listas
Thanks for answers. On last question, what I really mean is that if system breaks for whatever reason, or I decide to put openSUSE 11.5 (whatever), or some other distro, or just to reinstall 11.4, for whatever reason,
Question was: will I be able to use my encrypted /home, providing encryption key. Will new installation ask me at all? Can it be recovered by running some live DVD etc etc? So in case of system failure, will I be able to access my data in some way?

Thanks

#5

On Mon, 2011-04-11 at 16:06 +0000, beli0135 wrote:
> @nrickert, wow… I am not that paranoid, LOL. It’s just a prevention of
> laptop theft. There is no one particulary targeting me and my data that
> swap should be targeted. Most common thiefs just steal to sell. But I
> thank you for the procedure that you wrote. Every day we learn something
> new. You have responded most of my questions.
>
Hi
Have you looked at installing prey (I’m the package maintainer)?
http://software.opensuse.org/search?q=prey&baseproject=ALL&lang=en&exclude_debug=true
Their webpage is here;
http://preyproject.com/


Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.32.29-0.3-default
up 5 days 1:02, 2 users, load average: 0.00, 0.02, 0.00
GPU GeForce 8600 GTS Silent - Driver Version: 260.19.26

#6

On 2011-04-11 18:06, beli0135 wrote:
>
> @nrickert, wow… I am not that paranoid, LOL. It’s just a prevention of
> laptop theft. There is no one particulary targeting me and my data that
> swap should be targeted.

Swap is indeed a target, as it has a copy of the entire memory, which means
your passwords, including possibly the password for the encrypted
partition. Of course, the thief has to know how to do that, or know
somebody who can.

That you do not keep any secrets worth stealing? I’m sure that your bank
data is interesting :wink:

> @robin_listas
> Thanks for answers. On last question, what I really mean is that if
> system breaks for whatever reason, or I decide to put openSUSE 11.5
> (whatever), or some other distro, or just to reinstall 11.4, for
> whatever reason,
> Question was: will I be able to use my encrypted /home, providing
> encryption key. Will new installation ask me at all? Can it be recovered
> by running some live DVD etc etc? So in case of system failure, will I
> be able to access my data in some way?

Supposedly, the system will be maintained, but there are no guarantees. You
should make a point of testing factory releases and report if the features
you need stop working.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

#7

On 2011-04-11 19:08, malcolmlewis wrote:
> Have you looked at installing prey

What does it do?


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

#8

On Mon, 2011-04-11 at 19:20 +0000, Carlos E. R. wrote:
> On 2011-04-11 19:08, malcolmlewis wrote:
> > Have you looked at installing prey
>
> What does it do?
>
Hi
Series of bash scripts along with a cron job. It checks the website and
if you set a flag (om your control panel) it will collect data and post
it on the website for you, screenshot, location (via available wifi
spots) camera shot etc. So if the thief powers it up you have a good
chance of capturing some data to provide to authorities.


Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.32.29-0.3-default
up 5 days 3:49, 2 users, load average: 0.43, 0.20, 0.15
GPU GeForce 8600 GTS Silent - Driver Version: 260.19.26

#9

@malcomlewis
Thank you, I will look into it. It is an interesting idea.

@robin_listas
Well… let’s say I pay a thief to get your hard drive. Then surely, I will give hard disk to a team to recover everything that is possible.
If I steal laptop from John Doe, I probably just want $200 for it, and Jane Doe, who will buy it from me, will in 99.99% of chances format and install Windows 7 on it.

:slight_smile:

#10

I’m not particularly paranoid either. But I do occasionally edit a file of passwords, using a temp copy in “/tmp”. So having swap encrypted, with “/tmp” mounted as tmpfs is an easy way of being sure that “/tmp” is encrypted.

With new installation, specify the same partition for home, set it as encrypted, and set it to not format the partition. Then you should be prompted for the existing encryption key during the new install.

#11

On 2011-04-12 18:36, beli0135 wrote:

> @robin_listas
> Well… let’s say I pay a thief to get your hard drive. Then surely, I
> will give hard disk to a team to recover everything that is possible.
> If I steal laptop from John Doe, I probably just want $200 for it, and
> Jane Doe, who will buy it from me, will in 99.99% of chances format and
> install Windows 7 on it.

When I get a second hand disk I’m “curious” about it and search inside for
curios >:-)

It depends on who is the thief. Better not take chances.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

#12

On 2011-04-11 21:55, malcolmlewis wrote:

>> What does it do?
>>
> Hi
> Series of bash scripts along with a cron job. It checks the website and
> if you set a flag (om your control panel) it will collect data and post
> it on the website for you, screenshot, location (via available wifi
> spots) camera shot etc. So if the thief powers it up you have a good
> chance of capturing some data to provide to authorities.

Ah! Interesting.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

#13

Thank you. I can be calm now.
However, can anyone point me to document how to do this encryption thing of swap and tmpfs?