So far I am very happy with 11.2. Much fewer bugs than 11.1.
One problem I have is with full disk encryption. I wanted to encrypt the whole disk during installation. But I am not a programmer and I just don’t get it, even if I read the manuals sideways.
The manuals on Novell Doc: OpenSUSE 11.2 - Table of Contents
are not helpful enough (or call it too complicated for my level?)
I don’t give up easily but for a non-linux geek like me that is just too technical.
If someone could assist or knows of a “How to” or “Step by step” guide I would greatly appreciate it.
I am sure that your remarks make sense. But I am lost when you throw around “binary locations” etc. It’s way beyond my knowledge. So for me having the entire harddisk encrypted would surely give me freedom of mind. And since Opensuse 11.2 allows to do this, I would just like to know “how to, during installation”
What is for example during a crash? No data stored in other locations like /temp?
Sorry about being vague - microchip posted the locations.
The only reason you might want to encrypt those would be if you were ‘scared’ of someone injecting binaries into your system locally but then again… that would require some tight tinfoil hat
There are some of the new notebooks, such as the Thinkpads, that contain another chip on the motherboard to handle the extra load of encrypting the whole drive. Unless you have one of those, I really would stay away from total disk encryption. It is just too processor intensive, and frankly unnecessary. I would only encrypt directories that contain user data.
Also look at it this way. Even if you encrypt, you are still only as safe as the password you set for the encryption. So, make sure that you use a strong password for the directories that you do encrypt. Also, make sure that the password is not the same as the Login password. This way, you have a second layer of security.
thanks both for the enlightenment. Does that also mean that no data is stored in other location (also not in /temp) during a crash for example? = if I only encrypt your suggested location there is no possiblity that personal data is in any way stored outside those locations?
You can set /tmp to be stored in ram (it generally is not bigger than 40-50kB, at least in my case), secondly you could use a file on a usb stick to use to unblock the encrypted partitions, no usb stick no worries that the passphrase is too simple. I did the same with my system, i made a key file on a additionally encrypted partition which i decrypt using a file on a stick and then use the key file from the encrypted partition on my usb stick to mount encrypted partitions on my hard disk
Of course i keep the key online as a backup and on a cd as an encrypted rar file with a looooooooooooooooooong passphrase
That way even if you would get a keylogger it wouldn’t get the password you type in to unlock the encrypted partitions so it is a tad safer.
You could encrypt the temp folder in addition to the data folders. You would see a performance hit, but nothing like you would see if you encrypted the whole drive.
now that I’m trying to setup my full encrypted openSuSE 11.2 it’s time to join this thread.
Unfortunately not by saying “Everything’s fine” :(.
I tried to use the new option “LVM-based”-partitioning along with “Encrypt volume-group”. Therefore openSuSE should use 99,24 free GB after the first (windows 7) partition on my laptop.
What happens instead ? openSuSE creates the following setup:
Look, there are so many partition setups that it is crazy to make it work with everyone. I have set my system to use FULL encryption myself WITHOUT using suggested partitioning. It is is dead easy to accomplish this. You simply have to create a LVM partition (instead of choosing filesystem you choose type LVM and tick Encrypt below, then you give your password and then you do it as you like it.
Wrong. There’s a lot of interesting stuff in /tmp too.
Anyway, there’s people concerned more about security than
battery life, which heavily depends on usage pattern anyway.
Btw, having binaries and libs encrypted is a low overhead since after the first open they’re cached anyway.
I don’t believe original question was answered (or at least answered in a way beginner pinguin can digest).
Full disk encryption in 11.2 is possible only on top of LVM. So you will have to read docs on how to configure LVM too. In brief:
1). The easiest method is to use authomatic partition proposal. Click ‘Create LVM-based proposal’ and select ‘Encrypt Volume Group’ checkbox near it.
2). If for some reason authomatically generated proposal is not good enough (and if disk is not empty then it seldom works for your needs) then you have to take the hard way:
Create on your disk two partitions: a small one (50-100 Mb) for initial boot and another to hold all data to be encrypted
Edit small one: format it (default Ext4 is good), do NOT encrypt it, mark it to be mounted as /boot
Edit bigger partition: do NOT format or mount it. Specify this partition as File System ID 0x8E (Linux LVM). Select checkbox ‘encrypt device’ on the same screen.
After this you have to create LVM on this partition ‘as usual’. Refer to documentation but the idea is:
o Select ‘Volume Manager’ -> Add Volume Group. Add partition you created to the group.
o Add Logical Volume(s) to this group. Format and mount them as you would like to see them. There is no need to encrypt these individual volumes.
Be careful with this. I tried this last month and it completely screwed up CD/DVD writing as it uses /tmp by default (and K3B wouldn’t allow me to change it!). It took me ages to figure out why because I forgot about changing /tmp to be a RAM disk!
Also video encoding, audio processing, image apps can be affected too.
Thanks, this was helpful and finally I did it. It is quite easy in fact and a 20 second solution if you know how to:
Choose
“Create partition setup”, then
“Use entire hard disk”
Then select
“Propose separate home partition, Create LVM Based Proposal, and Encrypt Volume”.
then entering a password is it.
Beginners like me - and I will need a long time to increase my level of expertise - would be helped greatly if the description or “help” would explain such a procedure much more clearly.However, this way it works perfectly but it took me hours to figure this out. A better description during the installation process would make this a 20 second solution. So if programmers out there would think of non-technicians like me, this would be of tremendous help.
Nevertheless, the advice I get on this forum is really great, even if sometimes it first cirles around a problem. So thanks to everybody!