encrypt hdd

Hi,
I am new at this forum, but I use SuSe thins several years. I have holiday now and I installed Leap 15.2 to 2 PCs. Because I have some very nosy neighbors, who do not have problems with a break-in into my apartment, I decided to encrypt my hard-disks. I found two annoying problems with respect to this topic within the installation procedure:

  1. I am using a password system with all chars at a german keyboard, but without special german chars like äöüß. Unfortunately the supported chars for the password are nevertheless limited. I expected such problems by installing accounts at some internet shops, but not for a linux distribution. Why are the chars limited? There is no reason for doing so.
  2. Before installing leap 15.2 I made a backup of my data to an encrypted usb-hdd. One PC was updated from leap 15.1 to 15.2. Starting this PC I have to wait (1min 30 sec) for this usb-hdd to be found. The solution is easy. Just remove the entry of this device from /etc/crypttab, but it was annoying to figure that out. Before I made the backup, I am using yast to format and encrypt the usb-hdd. The hdd was mounted by hand after it was formatted. I suggest to instruct yast not to make an entry into cryttab, when the media is not mounted via yast or to remove this entry when the media is properly unmounted.
    These are only minor problems. The installation not regarding this problems was pretty easy.
    Best regards
    volger

AFAIK, the characters which may be used for a Password are anything the Keyboard can generate – the only exception is usually the ASCII “NUL” character ASCII 0 ].
However, it may be that, the PAM Cracklib module’s configuration places restrictions on the allowed Password characters …There’s this openSUSE Security documentation: <Security and confidentiality | Security and Hardening Guide | openSUSE Leap 15.5.
There’s this Server Fault discussion: <List of allowable Linux password characters - Server Fault.
And, there’s this Wikipedia article: <https://en.wikipedia.org/wiki/Password_strength&gt;.

Can you please check the openSUSE Security Handbook entry related to “Encrypting Partitions and Files”? – <Encrypting partitions and files | Security and Hardening Guide | openSUSE Leap 15.5;

  • Please raise a Bug Report against the Handbook if, you feel that anything has been omitted.

You may also consider using AIDE to check if, your neighbours have tampered with your system: <Intrusion detection with AIDE | Security and Hardening Guide | openSUSE Leap 15.5.

  • Have you considered implementing physical security measures to deter the uninvited visitations?

Moved to the English Subforum.

I encrypt. But I don’t have any problem with nosy neighbors.

Encrypting is good practice. There’s no need to explain why.

  1. I am using a password system with all chars at a german keyboard, but without special german chars like äöüß. Unfortunately the supported chars for the password are nevertheless limited. I expected such problems by installing accounts at some internet shops, but not for a linux distribution. Why are the chars limited? There is no reason for doing so.

I use only ASCII characters for disk encryption. That’s safest. You may be prompted for the password during boot, before the system can read what character set is configured for your keyboard.

Note that you can use a long passphrase. Also, you can add a second encryption key, and maybe put your preferred characters in that second key. But keep the original key available, because if something goes wrong and you need to access the disk for rescue purposes, you might be limited in what character set is available.

  1. Before installing leap 15.2 I made a backup of my data to an encrypted usb-hdd. One PC was updated from leap 15.1 to 15.2. Starting this PC I have to wait (1min 30 sec) for this usb-hdd to be found. The solution is easy. Just remove the entry of this device from /etc/crypttab, but it was annoying to figure that out. Before I made the backup, I am using yast to format and encrypt the usb-hdd. The hdd was mounted by hand after it was formatted. I suggest to instruct yast not to make an entry into cryttab, when the media is not mounted via yast or to remove this entry when the media is properly unmounted.

I’m glad you found that problem.

I will need to experiment with that. I have not personally run into it. But I probably setup the encryption at the command line instead of with Yast. I seem to recall an early forum thread where somebody had that problem, and we were able to direct him to the “/etc/crypttab” entry. I’ll note that you can leave the entry there in “crypttab”, but put “noauto” in the options column for that entry.

Can someone explain, why encrypting partitions and files is done natively, easily and reliably, meanwhile external application is needed to encrypt a folder?

Is it hopeless? Does it require too much work? How come Vera achieved this, meanwhile Linux developers cannot?

What do you mean by “external application”?

“cryfs” and “encfs” are still open source and can reasonably be considered native linux software. And “ecryptfs” is built into the kernel.

I’m looking at a Plasma Vault that I have unlocked.

The root user can see the unencrypted content of my ecryptfs-private-directory ($HOME/Private).

The root user does not have access to my open Plasma Vault ($HOME/Vaults/CAstuff). Perhaps that’s a benefit of keeping “encfs” out of the kernel.

Wow! I am impressed with cryfs. Didn’t know that such a thing exists. Thanks for mentioning.

Of course, I don’t have experience with it more than a few minutes. But the design is good.

Here are some questions I have, mainly for me.

Why is the support for Windows highly experimental?

Can the cryfs be started from Windows’s command window, like in Linux:
cryfs basedir mountdir ?

Are there limits, besides the ones that the OS imposes, on file sizes, file count, etc?

Why didn’t I know about cryfs, meanwhile I knew about Vera?

Why is there no Wikipedia article about cryfs? Is it because cryfs does not work well in Windows?

Why does nrickert use “still” in
“cryfs and encfs are still open source”?
Are there rumors that they will disappear from open source world?

How reliable is the cryfs? Have people lost files, because the cryfs crashed or refused to work properly?

How much CPU power does it use when used extensively? More than cryptsetup luksOpen… method? Twice more?

An application that is not supplied in opensuse distribution and default repositories. cryfs is in opensuse’s Main Repository.

I’m not a Windows person, so I have not investigated that.

Why is there no Wikipedia article about cryfs?

Probably, because it is relatively new.

Why does nrickert use “still” in
“cryfs and encfs are still open source”?
Are there rumors that they will disappear from open source world?

Sorry about that confusion.

It’s just an English idiom. Instead of “still”, I could have said “nevertheless” or some other filler word. There is no intended implication about it disappearing.

How reliable is the cryfs? Have people lost files, because the cryfs crashed or refused to work properly?

I don’t know. It is relatively new. I’m not sure how thoroughly it has been tested or analyzed.

How much CPU power does it use when used extensively? More than cryptsetup luksOpen… method? Twice more?

I don’t know that, either. Most people won’t be using it heavily enough that you would notice.

Is it FUSE based? This is normal then, by default FUSE restricts access to user that mounted filesystem.

Yes, it is FUSE based.