I plan to encrypt some folders before installing openSUSE 12.3 With KDE, LXDE and XFCEon my new drive (size suggestions taken from here). My plans are:
Unencrypted (since I can’t encrypt it)"/" partition (40GB, personal choice because FlightGear itself takes about 20GB)
Unencrypted /boot partition (300MB)
Encrypted /var partition (8-12GB)
Encrypted /tmp partition (This one it says 50MB but I think it needs more space)
Encrypted /home partition (Around 250GB, my personal choice)
Encrypted SWAP partition (4GB)
And another encrypted data partition (The rest of my 1TB drive)
Should I be safe with those numbers? Should I encrease some of them?
On 2013-07-25 23:36, amarildojr wrote:
>
> Hello.
>
> I plan to encrypt some folders before installing openSUSE 12.3 With
> KDE, LXDE and XFCEon my new drive (size suggestions taken from ‘here’
> (http://tinyurl.com/l8uteaw)).
Last time I tried it said something about not being able to encrypt it, even though I have already selected a non-encrypted /boot partition. I’ll try it out again.
Make it 1 G.
Yes. Reading through Arch’s forums I decided to make it 1GB.
Why do you want a separate /var?
Not only /var, but also /tmp, swap and /usr. I read that can be left overs on those places, so I won’t take this chance. My previous laptop has been stolen with data that was not so important, but times have changed.
I’m going to install openSUSE 12.3 on a machine here at my company and make it the default “important data” machine. I don’t want other people reading though file left-overs on those places.
I started the same thread on LinuxQuestions, and some other info is:
"The computer is connected directly to the internet via Modem. All data remains here, since this is the only computer not connected to the LAN. It has USB ports as well as a DVD drive, but no one is allowed to write on these (I’m the only one who has the passwords, plus I always lock the machine when I’m not wrking in it).
I’m not concerned about any leakage other than someone running a LiveCD trying to get important data, which won’t be possible since I plan to encrypt the data drive. Not to mention I will use different passwords, from Login to the data drive, in addition that openSUSE asks for the password RELATED TO THE DRIVE ITSELF, meaning that even if someone could Login into my account (the only one) they wouldn’t be able to get the data out of that separate encrypted partition."
Unless you want to be asked for passwords to each partition you should maybe use LVM containers ie 1 gig boot +1 encrypted LVM with root +swap+home and any other partition in it though with LCM not sure way to have more then root_home in it since it is expandable. That seems like what most people are doing these days.
You were not asked why you want /var (and the others) encrypted (we understand that), but why you want them to be seperate partitions? I guess because you think that / can not be encrypted. But when / can be encrypted, all inside that is not on a seperate file system, will be encrypted by definition. Swap is of course outside this list because it is no file system and to be encrypted separate.
I decided to use a single strong password for SWAP, /var, /usr and /tmp, so the system asks me for two password: One, to unlock the /home, and another that, for my surprise, unlocks every other.
I just noticed that the same problem happens after install. The system fails to restart at the 1st time, and then it fails to boot. Then I forced a reboot and everything seems to be working.
I used:
1GB for /boot (unencrypted)
20GB for / (unencrypted)
4GB for SWAP (Encrypted)
30GB for /user (Encrypted)
15GB for /tmp (Encrypted)
15GB for /var (Encrypted)
And the rest for /home (Encrypted)
On 2013-07-26 09:46, hcvv wrote:
>
> amarildojr;2574505 Wrote:
>>
>>
>> Not only /var, but also /tmp, swap and /usr. I read that can be left
>> overs on those places, so I won’t take this chance. My previous laptop
>> has been stolen with data that was not so important, but times have
>> changed.
>>
>>
> I guess there is some misunderstanding here.
>
> You were not asked why you want /var (and the others) encrypted (we
> understand that), but why you want them to be seperate partitions? I
> guess because you think that / can not be encrypted. But when / can be
> encrypted, all inside that is not on a seperate file system, will be
> encrypted by definition. Swap is of course outside this list because it
> is no file system and to be encrypted separate.
Exactly, that’s what I meant.
Being picky, swap can be turned into a file inside /, but then
hibernation would be out. An being picky again, hibernation would not be
out, perhaps, but I don’t know how to handle that - only that it is
difficult.
So, the question is: why not encrypt the entire “/”, and not use the
other (system) partitions? Only “/” has to be separate.
Yes, YaST would probably want to set up an LVM to hold home, swap and
system, but you do not need to do it yast way. They would complain that
then you would be prompted for the password several times, but you said
that is not an issue for you (amarildojr).
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
I would surely have used ‘/’ to encrypt if it worked. The message I receive is:
“You have assigned an encrypted filesystem with one or another of the following mount points: /, /usr, /boot or /var. This is not possible. Change the mount point or use a nonloopbacked filesystem.”
> I would surely have used ‘/’ to encrypt if it worked. The message I
> receive is:
>
> “You have assigned an encrypted filesystem with one or another of the
> following mount points: /, /usr, /boot or /var. This is not possible.
> Change the mount point or use a nonloopbacked filesystem.”
It is indeed possible to do. You need a separate /boot, and perhaps, set
it up manually, besides YaST.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
I tried setting up a separate unencrypted /boot partition, and even so I receive that message. Weird that the message says “/usr, /var” and it let me encrypt them after all =P
On 2013-07-26 15:16, amarildojr wrote:
> I decided to use a single strong password for SWAP, /var, /usr and
> /tmp, so the system asks me for two password: One, to unlock the /home,
> and another that, for my surprise, unlocks every other.
You are probably using LVM, which is fine if you want it. Also, home may
be a loop mounted file, not a partition.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
On 2013-07-26 15:56, hcvv wrote:
>
> amarildojr;2574641 Wrote:
>> I would surely have used ‘/’ to encrypt if it worked. The message I
>> receive is:
>>
>> “You have assigned an encrypted filesystem with one or another of the
>> following mount points: /, /usr, /boot or /var. This is not possible.
>> Change the mount point or use a nonloopbacked filesystem.”
> Oops. Thanks for that information. Usefull to know.
“or use a nonloopbacked filesystem.”
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
Well I must confess that I don’t know. Checking the partitioner I can’t see anything, and I didn’t mark anything about LVM (neither on install nor after it).
All I did was create a primary partition for boot and then an extended partition for the rest with logical volumes for them.
I had the same problem setting up encrypted “/”. It is possible, but it requires special effort.
Instead, I am using a encrypted LVM which is supported and does work.
Boot from a live CD or similar. Create “/boot” to be unencrypted. Then create a single encrypted partition for everything else.
In the Yast partitioner, go to the LVM sections. Assign your large encrypted partition to be used as the new LVM. Create volume groups inside for root, swap, home.
In the installer, you will be asked if you want to provide the encryption key. Provide it.
In the partitioning section of the install, select “create partitioning” (I think that’s the name). The LVM volumes should be visible and can be chosen for “/”, swap and “/home”.
For subsequent installs of newer versions, use “import partitioning” to reuse the same partitioning as before.
I have been doing it this way for 3 years now, and it works very well.
> Well I must confess that I don’t know. Checking the partitioner I can’t
> see anything, and I didn’t mark anything about LVM (neither on install
> nor after it).
> All I did was create a primary partition for boot and then an extended
> partition for the rest.
>
> Take a look ‘here’ (http://paste.opensuse.org/68215289).
Ah, no, no LVM, then.
The LVM method is what nrickert describes.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
