When installing 12.3 I setup an encrypted home partition, which I now realize is not the same thing as an encrypted home directory. Is is possible to convert it to encrypted partition, encrypted home dir? If not, If I were to try again, how would I go about just the encrypted home directory? Probably can’t be done during install I’m guessing.
My main issue is that sometimes after suspending, waking from suspend… the partition can’t be found and I have to reboot to re-enter the passphrase. Also, if I’m not quick or not paying attention, I miss the passphrase prompt and it boots to a ‘can’t find home’ error, and I have to reboot again.
On 2013-03-03 22:16, craig sillva wrote:
> When installing 12.3 I setup an encrypted home partition, which I now
12.3 questions should be asked in the Beta forum. Please ask a moderator
to move it.
Re your problems, they may be bugs that you should report in bugzilla -
that’s the purpose of using a beta version, remember: discover problems
and report them
–
Cheers / Saludos,
Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))
Your guess is correct. It cannot be done during install.
During install, you need to setup an ordinary user without encrypted home. And keep that user without encrypted home. You might later need it for repair purposes. That user need not have any sensitive files.
After the system is up and running, use Yast to create a new user. One of the options for creating a new user is to have an encrypted home directory. Note that I have no real experience with that. I have just created such a user to experiment, but I have not tried to login as that user.
The way it works, is that an encrypted image is generated (often called a container). During login, that container is mounted as home directory for the user, with the user login password as encryption key. It requires that, when setting up the new user, you pre-allocate as much space to that container as you expect the user to need.
Another alternative is to use “ecryptfs” which is how ubuntu does it. I have been experimenting with that. It works pretty well with opensuse 12.3 (not yet released). But the documentation is not there yet, on how to set it up as a home directory. The default is an unencrypted home directory and an encrypted “Private” subdirectory. Using “ecryptfs”, you do not have to pre-allocate space. Encryption is at the file level instead of at the container level.
And a note to moderators. While this is a beta thread, it is really a question that applies to all recent releases. So maybe it should be left where it is and not moved to the beta forum.
Thanks for the detailed response. When 12.3 is released think I will reinstall and go with the encrypted home dir, that way house-sitters or guests would be able to have their own account and still be able to use the computer without having to decrypt the entire home partition. Your answer gave me the terminology to find a good reference for the differences between the different encryption methods: Data-at-rest encryption - ArchWiki
Thanks for assistance with appropriate forum mod, I don’t see the ‘mark thread solved’ option under thread tools, so i just changed the title. I guess that’s how it’s done here?
You may change as you have done, but it is not needed.
Saying in the thread that you are satisfied (and when it is a technical problem please then tell how you solved when that is not already very clear from the thread) is OK. Threads stay normaly open here. That you are satisfied does not mean that others want to stop the discussion. Threads belong to the community.
On 2013-03-04 21:16, craig sillva wrote:
> Thanks for the detailed response. When 12.3 is released think I will
> reinstall and go with the encrypted home dir, that way house-sitters or
> guests would be able to have their own account and still be able to us
> the computer without having to decrypt the entire home partition.
Remember that not every user needs having the same /home partition. You
can have your main user in /home1/user1/, where the entire /home1 is
encrypted, and have other users in /home2/visitor1/. That you use /home
is just a convenient convention; it can be an empty directory in the
root partition.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))
I hadn’t thought of that robin_listas, it’s an interesting idea. But it strays a bit too far from what I’m familiar with for my comfort. I’ve found a couple other ways to go about it in another thread [1].
Well, I finally reinstalled rather than attempt all the work in place. Upon logging in with a temp user I created a new user and checked the box to encrypt home. First surprise, having to specify a directory size. Choose a size and click go, gives error about no file found, then completes. Hrmm… login with new user, test and find I’m not running an encrypted home. Logout, temp user, delete and try again. And again. And again. Could not get it to work.
Yast + Create new user with encrypted home = failed.
Next I just create new user and use encfs to create an encrypted directory. Nice part is no need to specifiy directory size. Try to unlock encrypted dir using encfs ~/.secured ~/.secure fails with cryptic fuse error. Bit of googling leads me to create a new group using Yast User Module again, called fuse, adding myself to group rebooting and try again, success!
Now I am reading about pam, trying to figure out how to have the directory unlocked automatigically when I log in.
I have not tried “encfs”. I have used (and am using) “ecryptfs”.
If you can wait three days, then install 12.3, and use “ecryptfs”. You will need to install “ecryptfs-utils” from the repos.
With 12.2, “ecryptfs” is working pretty well. But they got the “pam” a bit wrong. So anytime that there’s an update which affects “pam”, my “ecryptfs” private directory stops opening with login, until I fix it again.
With 12.3, they seem to have fixed that problem, so the “pam” part should work out-of-the-box. The easy setup is to have a subdirectory “Private” encrypted. It is possible to have the entire home directory encrypted, but that takes a little effort. I have done it, and am thinking of doing that on my work computer.
Encrypting the entire home was my plan, but I wasn’t able to do it using the user control module in yast. Checking encrypt home dir does … well, not nothing, since it does create the encrypted file and other decrypted file. It just doesn’t actually use them as home dir.
@nrickert - cheers and thanks! After some searching I came across your own blog post about ecryptfs-utils and how to setup under openSUSE, which is even easier on 12.3 than before. All that was required was installing ecryptfs-utils, loading the kernel module and adding to kernel modules that are loaded as you indicated, and then just running the initial setup. No fiddling about with pam required at all.
Finally have a sane setup for my home directory - private docs, email and web-browser stored under private, everything else just secured with the usual file permissions.
Yes, that is working very well with 12.3. I will probably come out with a newer blog post on that, once I have done some more experimenting with it.
With 12.2 and before, the pam didn’t quite work. They fixed that, just too late for 12.2. In my testing of 12.3 (from Milestone 1, on), ecryptfs has worked perfectly.
