I have a laptop running openSUSE 11.2 and an upgrade to 12.1 is long overdue. When I installed 11.2, I set up separate partitions for /, swap, /home, /tmp and /var, the last three of which are encrypted. I considered separate /, swap and /boot partitions with / encrypted instead, but as the laptop isn’t very powerful and all the software is in the public domain, I thought it would be less taxing just to encrypt /home, with /tmp and /var also encrypted to secure cached application data, such as web documents. Initially I’d like to know if this scheme is suitable for the encryption of all user data? Is there another part of the file system that should also be encrypted? Have I encrypted a part unnecessarily, such as all of /var when just /var/tmp may suffice?
If this is suitable then the main problem I have with this scheme is that on booting, I need to type in a password for each encrypted partition. When I upgrade to 12.1 (as a fresh installation onto a new disk), can I put /home, /tmp and /var into a single, encrypted partition (separate from /) so that only one password is required and if so, how? I’d prefer to configure this with the graphical installer during installation, but I can’t see how. I get a dialogue box saying I can’t use certain characters if I type anything other then “/abc”, such as “/home, /tmp, /var” into the “mount point” box whilst configuring the partition. If what I ask is not possible, I’d be happy with a command line solution after installation. I understand from having transferred these partitions from another disk before that editing /etc/fstab and /etc/crypttab may be required. I also understand that directories called /home, /tmp and /var remain on the / partition but that these ones here are empty and only visible when the other partitions are not mounted (such as mounting the partition from a live CD). Also, can the password be read automatically from a USB stick on booting and if so, how?
I did not read all the deatails of your post, but the question from the title can be answered easily: As a partition can only be mounted on one directory (and then have there the contents of that directyory), you can not mount the same partition/file system on three directories at the same time.
In other words, when you mount a file system on* /home*, you expect that that file system then has the home directories of the users. When you then mount that file system on /tmp you would then have all the home directories in /tmp.
> disk), can I put /home, /tmp and /var into a single, encrypted
> partition (separate from /) so that only one password is required and
> if so, how?
The openSUSE method is to create an LVM encripted space, and inside all the
partitions you need. One password. YaST does it that way.
There is another manual procedure which I can’t describe with separate
passwords. When this question was asked previously I posted links to people
that did it, so they must be in the archive.
I have blog posts about encryption here and here. I’ll probably update those in the next month.
It may seem a waste to encrypt everything. However, in practice, the most commonly used software is kept in memory cache, so you are not loading it very often. I cannot see any significant difference in speed with an encrypted LVM compared to just encrypted swap and home. I am using it on a fairly old system (purchased in 2004, and slow even at that date), and it works well.
For a fresh install, your best bet would be to backup your home partition, delete all linux partitions, and allow the installer to set things up. Select LVM, then select encryption for the LVM. It will set up a small “/boot” partition that is unencrypted. I am using 100M for “/boot”, though I changed that to 200M in a newer computer.
Main benefits of this method:
1: It is actually easier to setup, since the installer supports it.
2: Only one password has to be given.
3: Hibernation actually works (though I don’t personally use it).
4: The password prompt is easier to find, because it comes early in the boot process before other confusing messages.
Thanks for your replies, and apologies for not coming back sooner. So it looks like LVM is the way to go. Can I put /home, /tmp and /var into the same encrypted LVM without encrypting everything else? I’d like to keep the system and application files unencrypted in order to reduce CPU workload.
I think I understand the error in my original post: If I were to put /home, /tmp and /var into the same, separate partition, then this single partition would get mounted at these locations on boot and create a real mess, correct?
Yes, you can. However, you might find that you need to create, encrypt and format the LVM separately before the install.
I suggest you also put swap in that LVM. Sensitive data can be written to swap at times. And if you are encrypting swap,
then it might be easier to mount “/tmp” from swap (i.e. as tmpfs) than to give it a separate partition. Apparently there are plans
to make mounting “/tmp” as tmpfs the default for the upcoming 12.2 release.