Full disk encryption during installation - Opensuse 11.2

So far I am very happy with 11.2. Much fewer bugs than 11.1.

One problem I have is with full disk encryption. I wanted to encrypt the whole disk during installation. But I am not a programmer and I just don’t get it, even if I read the manuals sideways.
The manuals on
Novell Doc: OpenSUSE 11.2 - Table of Contents
are not helpful enough (or call it too complicated for my level?)

I don’t give up easily but for a non-linux geek like me that is just too technical.

If someone could assist or knows of a “How to” or “Step by step” guide I would greatly appreciate it.

I use Opensuse 11.2 64-bit

I don’t know what your needs are, and if you really need encrypted disk, but for my needs (preserving some sensitive documents) I use truecrypt (TrueCrypt - Free Open-Source On-The-Fly Disk Encryption Software for Windows 7/Vista/XP, Mac OS X and Linux). It is really easy to set up and use. I use file based volumes, although it is possible to encrypt the whole partitions.

I just want maximum protection for my data in case of theft e.g., particularly for my notebooks

I know about Truecrypt but since 11.2 should support full disk encryption, I would like to take advantage of this feature.

However, even with the documentation
http://www.novell.com/documentation/opensuse112/pdfdoc/book_security/book_security.pdf (the link on Novell’s website does not work because they forgot to put a dot in front of …pdf, but this one should)
I just did not get it.

So my hope that someone more experienced can do a “how to” or explain how they managed successfully during installation

Encrypting anything other than /etc, /var and /home is a waste of effort and processing power - especially on notebooks.

Encrypting binary locations will only slow the system down and require extra processing power to decrypt, thus leading to decreased battery life.

I am sure that your remarks make sense. But I am lost when you throw around “binary locations” etc. It’s way beyond my knowledge. So for me having the entire harddisk encrypted would surely give me freedom of mind. And since Opensuse 11.2 allows to do this, I would just like to know “how to, during installation”
What is for example during a crash? No data stored in other locations like /temp?

binary locations -> /usr/bin, /usr/sbin, /bin, /sbin, /usr/local/bin, /usr/local/sbin, etc
also the lib paths too like /usr/lib

Sorry about being vague - microchip posted the locations.

The only reason you might want to encrypt those would be if you were ‘scared’ of someone injecting binaries into your system locally but then again… that would require some tight tinfoil hat :slight_smile:

There are some of the new notebooks, such as the Thinkpads, that contain another chip on the motherboard to handle the extra load of encrypting the whole drive. Unless you have one of those, I really would stay away from total disk encryption. It is just too processor intensive, and frankly unnecessary. I would only encrypt directories that contain user data.

Also look at it this way. Even if you encrypt, you are still only as safe as the password you set for the encryption. So, make sure that you use a strong password for the directories that you do encrypt. Also, make sure that the password is not the same as the Login password. This way, you have a second layer of security.

thanks both for the enlightenment. Does that also mean that no data is stored in other location (also not in /temp) during a crash for example? = if I only encrypt your suggested location there is no possiblity that personal data is in any way stored outside those locations?

You can set /tmp to be stored in ram (it generally is not bigger than 40-50kB, at least in my case), secondly you could use a file on a usb stick to use to unblock the encrypted partitions, no usb stick no worries that the passphrase is too simple. I did the same with my system, i made a key file on a additionally encrypted partition which i decrypt using a file on a stick and then use the key file from the encrypted partition on my usb stick to mount encrypted partitions on my hard disk :slight_smile:

Of course i keep the key online as a backup and on a cd as an encrypted rar file with a looooooooooooooooooong passphrase :slight_smile:

That way even if you would get a keylogger it wouldn’t get the password you type in to unlock the encrypted partitions so it is a tad safer.

You could encrypt the temp folder in addition to the data folders. You would see a performance hit, but nothing like you would see if you encrypted the whole drive.

Hello,

now that I’m trying to setup my full encrypted openSuSE 11.2 it’s time to join this thread.

Unfortunately not by saying “Everything’s fine” :(.

I tried to use the new option “LVM-based”-partitioning along with “Encrypt volume-group”. Therefore openSuSE should use 99,24 free GB after the first (windows 7) partition on my laptop.

What happens instead ? openSuSE creates the following setup:

66,45 MB /boot on sda2 (that’s ok)
14,99 GB encrypted sda3 (id=8E = LVM)
7,38 MB encrypted sda4

Volume-Group “system” on sda3 + sda4

Some logical volumes (/root, /home, swap).

I don’t understand

  1. Why openSuSE leaves 84 GB unused ?
  2. What’s the matter with the small sda4 - partition ?

Anyone out there with success ? Maybe it’s time to submit an error-report ?

Regards, user2304.

Look, there are so many partition setups that it is crazy to make it work with everyone. I have set my system to use FULL encryption myself WITHOUT using suggested partitioning. It is is dead easy to accomplish this. You simply have to create a LVM partition (instead of choosing filesystem you choose type LVM and tick Encrypt below, then you give your password and then you do it as you like it.

Ok,

searched the forum and did it according to openSUSE Lizards » encrypted root file system on LVM, it seems to work. Fine.

Regards, user2304

Wrong. There’s a lot of interesting stuff in /tmp too.
Anyway, there’s people concerned more about security than
battery life, which heavily depends on usage pattern anyway.

Btw, having binaries and libs encrypted is a low overhead since after the first open they’re cached anyway.

JC

I don’t believe original question was answered (or at least answered in a way beginner pinguin can digest).

Full disk encryption in 11.2 is possible only on top of LVM. So you will have to read docs on how to configure LVM too. In brief:

1). The easiest method is to use authomatic partition proposal. Click ‘Create LVM-based proposal’ and select ‘Encrypt Volume Group’ checkbox near it.

2). If for some reason authomatically generated proposal is not good enough (and if disk is not empty then it seldom works for your needs) then you have to take the hard way:

  • Create on your disk two partitions: a small one (50-100 Mb) for initial boot and another to hold all data to be encrypted
  • Edit small one: format it (default Ext4 is good), do NOT encrypt it, mark it to be mounted as /boot
  • Edit bigger partition: do NOT format or mount it. Specify this partition as File System ID 0x8E (Linux LVM). Select checkbox ‘encrypt device’ on the same screen.
  • After this you have to create LVM on this partition ‘as usual’. Refer to documentation but the idea is:
    o Select ‘Volume Manager’ -> Add Volume Group. Add partition you created to the group.
    o Add Logical Volume(s) to this group. Format and mount them as you would like to see them. There is no need to encrypt these individual volumes.

HTH

Be careful with this. I tried this last month and it completely screwed up CD/DVD writing as it uses /tmp by default (and K3B wouldn’t allow me to change it!). It took me ages to figure out why because I forgot about changing /tmp to be a RAM disk!

Also video encoding, audio processing, image apps can be affected too.

S O L V E D !

Thanks, this was helpful and finally I did it. It is quite easy in fact and a 20 second solution if you know how to:
Choose
“Create partition setup”, then
“Use entire hard disk”
Then select
“Propose separate home partition, Create LVM Based Proposal, and Encrypt Volume”.
then entering a password is it.

The process is very confusingly and badly explained for a beginner, which was also eweeks opinion. However, their picture (see slide 2) finally made it really easy for me:
LABS GALLERY: OpenSUSE 11.2 Effectively Integrates New Features, Installation Options Are Confusing

Beginners like me - and I will need a long time to increase my level of expertise - would be helped greatly if the description or “help” would explain such a procedure much more clearly.However, this way it works perfectly but it took me hours to figure this out. A better description during the installation process would make this a 20 second solution. So if programmers out there would think of non-technicians like me, this would be of tremendous help.

Nevertheless, the advice I get on this forum is really great, even if sometimes it first cirles around a problem. So thanks to everybody!