Is my encrypted /home partition reusable if later i reformat root with anything non-openSUSE?

Hi

When i converted my Lappy in mid-June from Maui to TW, i replaced all its SSD content with a new partition table created with the TW installer, made root use btrfs, & my separate /home partition use ext4, & set it + swap to be encrypted [only these two; deliberately not also root]. If it helps, fstab is:

/dev/mapper/cr_ata-SAMSUNG_SSD_PM810_2.5__256GB_snipsnipsnip-part4 swap swap defaults 0 0UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb / btrfs noatime 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /boot/grub2/i386-pc btrfs noatime,subvol=@/boot/grub2/i386-pc 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /boot/grub2/x86_64-efi btrfs noatime,subvol=@/boot/grub2/x86_64-efi 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /opt btrfs noatime,subvol=@/opt 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /srv btrfs noatime,subvol=@/srv 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /usr/local btrfs noatime,subvol=@/usr/local 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /var/cache btrfs noatime,subvol=@/var/cache 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /var/crash btrfs noatime,subvol=@/var/crash 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /var/lib/libvirt/images btrfs noatime,subvol=@/var/lib/libvirt/images 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /var/lib/machines btrfs noatime,subvol=@/var/lib/machines 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /var/lib/mailman btrfs noatime,subvol=@/var/lib/mailman 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /var/lib/mariadb btrfs noatime,subvol=@/var/lib/mariadb 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /var/lib/mysql btrfs noatime,subvol=@/var/lib/mysql 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /var/lib/named btrfs noatime,subvol=@/var/lib/named 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /var/lib/pgsql btrfs noatime,subvol=@/var/lib/pgsql 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /var/log btrfs noatime,subvol=@/var/log 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /var/opt btrfs noatime,subvol=@/var/opt 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /var/spool btrfs noatime,subvol=@/var/spool 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /var/tmp btrfs noatime,subvol=@/var/tmp 0 0
UUID=59c063db-fa0d-4e1e-baa2-df255f4262fb /.snapshots btrfs noatime,subvol=@/.snapshots 0 0
UUID=411E-AE07       /boot/efi            vfat       noatime,umask=0002,utf8=true 0 0
/dev/mapper/cr_ata-SAMSUNG_SSD_PM810_2.5__256GB_snipsnipsnip-part5 /home                ext4       noatime,acl,nofail    0 2
tmpfs                /tmp                 tmpfs      noatime,size=25%      0 

I continue to be very impressed with openSUSE Tumbleweed KDE, however i am still feeling a sense of intimidation & trepidation about my personal capability to ever properly come to grips with repo management. By that i mean as associated with installing programs that are important to me but are not in the “standard” repos [which then add additional repos, & require me to accept unsigned GPG certificates whose providence i cannot possibly attest, & then potentially / actually run into critical dependency conflicts]. I have prior fora topics on some of the issues i’ve had, entirely due to my inexperience i hasten to add [ie, i am not allocating blame beyond [i]me], for which i have received much generous forum help. This complexity is way beyond what i am used to in the *buntu/Debian derivative world. I am trying to improve my capability, but am not yet convinced i will “get there”.

Therefore, i recognise that a time might come when i realise i am not good enough to be a competent robust oS TW user [it’s TW or nothing; i’m not interested in Leap], & when i might then reluctantly elect to return to the *buntu/Debian derivative world. That possibility has made me wonder what then might happen to my current encrypted /home partition [ie, its data, obviously].

In Maui etc, when installing or reinstalling with a separate encrypted =eCryptFS] /home partition, ALL the info needed to decrypt said partition resides in /home itself, in its .ecryptfs directory, hence reformatting root & reinstalling there is benign to any encrypted separate home. Conversely in my Lappy’s TW /home partition, i can see no comparable directory, but in root i see /etc/crypttab. I don’t really understand this file [it looks pretty innocuous when inspected in Kate], but presume it’s needed for the ongoing encryption / decryption process ??]. If so, then obviously any future reformat of root & new distro installation there will lose this file.

Does that mean that my /home would become effectively useless [ie, un-decryptable]? Of course i know about the general good practice of backing up home before any major system change, but i’d just like to understand the likely outcome in the scenario i described, pls.

openSUSE is using standard LUKS encryption so yes, you should be able to access your partition in any other Linux distribution as long as you know passphrase/have key available. it is possible that very old cryptsetup or kernel do not support encryption algorithms though. As long as your new distribution offers live or rescue modes, you can always check before installing.

ecryptfs is different implementation, but you should always be able to setup usual LUKS/cryptsetup manually, even if it is not offered by installer. You are better off asking on support forums dedicated to your new distribution how to do it.

On Sat, 08 Jul 2017 04:36:02 +0000, GooeyGirl wrote:

> however i am still feeling a sense of intimidation & trepidation about
> my personal capability to ever properly come to grips with repo
> management. By that i mean as associated with installing programs that
> are important to me but are not in the “standard” repos [which then add
> additional repos, & require me to accept unsigned GPG certificates whose
> providence i cannot possibly attest, & then potentially / actually run
> into critical dependency conflicts].

My rule of thumb is this:

Install from standard repos when possible; when not possible, install
from a third-party repo, but leave it disabled, unless it’s one of my own
repos (I have a couple things I use OBS to build, so I leave those repos
turned on).

There are a few exceptions I’ve applied over the years, but generally,
that’s the approach I’ve taken - and it’s worked pretty well for me.

I know that doesn’t answer your encryption question - I honestly have no
experience with using ecryptfs (for partitions I’ve encrypted, I’ve used
truecrypt in the past, and am moving to veracrypt for the future - but
they’re not my /home partition, they’re external drives that I’ve fully
encrypted at the device level as containers and then created filesystems
inside the encrypted device).

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Thanks to both of you for your replies.

You can still use that in Ubuntu.

When you install Ubuntu, make sure that you do not touch the “/home” partition. Just allow Ubuntu to ignore it. Also, when prompted whether you want an encrypted home directory, say “no”.

That will give you a “/home” that is part of the root partition.

Now you need to create “/etc/crypttab” in Ubuntu. You will need to use “sudo” of course. The “crypttab” from Tumbleweed can probably be used without change. So save that to a USB drive before you install Ubuntu. Then copy it back afterwards. Make sure that you finish up with a “crypttab” that is owned by root, and not by you.

Now reboot Ubuntu. It should prompt you for the encryption key. If that works, then you should be able to manually mount it with something like:

#  mount /dev/mapper/"some_funky_string" /mnt

where “some_funky_string” needs to be the first item in the “/etc/crypttab” entry (the first column).

If that works (and it should), then edit “/etc/fstab”. Add a line to mount “/home” from “/dev/mapper/some_funky_string”. Hmm, maybe save that line from the Tumbleweed “fstab” before you install Ubuntu.

One more reboot, and you should have that encrypted partition back for “/home”.

Hi nrickert

My goodness, what staggeringly good info - thanks so very much!

Um, to be clear, my current home is a separate partition, & that’s how i always prefer my partitions [irrespective of distro], not merely one large root containing everything including home. Am i misunderstanding your words, or is my preferred arrangement now unavailable [if i were to “leave”]?

Important Note: I am NOT looking to leave openSUSE Tumbleweed at the moment - in most respects it’s just great. As i have kept banging on about though in various threads, if there’s one thing that ultimately could drive me away from it, it’s my ongoing struggle with repos & non-standard programs. If i can eventually get comfortable & capable] with this, then i’ll be remaining a happy TW user for the duration.

If you want to run two or more Linux from the same /home then best to use different user names since different distros may have different version of desktop and other software and the configs may be different or conflicting. You can use links to share a common area for you personal stuff

In that case:

What I do, is mount my encrypted home partition as “/xhome” in Ubuntu. And then I add symbolic links from my home directory to the “/xhome” partition. So I can share what I want to share, but have separate configurations (as in “$HOME/.config” and similar).

For example, I currently have:


lrwxrwxrwx 1 rickert users 23 Jun 22 21:40 bin -> ../../xhome/rickert/bin
lrwxrwxrwx 1 rickert users 27 Jun 22 21:40 Desktop -> ../../xhome/rickert/Desktop
lrwxrwxrwx 1 rickert users 23 Jun 22 21:40 lib -> ../../xhome/rickert/lib

That’s actually from my desktop running openSUSE 42.3 Beta. The symlinks are to the encrypted home (mounted as “/xhome”) from openSUSE 42.2.

On Sun, 09 Jul 2017 04:06:01 +0000, GooeyGirl wrote:

>> That will give you a _"/home"that_is_part_of_the_root_partition.
>
> Um, to be clear, my current -home- is a -separate- partition, & that’s
> how i always prefer my partitions [irrespective of distro], not merely
> one large -root- containing everything including -home-. Am i
> misunderstanding your words, or is my preferred arrangement now
> unavailable [if i were to “leave”]?

I believe what he’s saying is that because you have /home on a separate
partition, when you tell Ubuntu to not create a new partition, you’re
going to ultimately be mounting the encrypted partition at /home anyways,
so there’s no need to create another partition for a new (but never-to-be-
used) /home. :slight_smile:


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Again, many thanks to you all. Bit by bit i’m learning [terrible awful pun; didn’t actually realise til after writing it].

Though still not yet quite final, today i took a really major step forward in my testing & research, which has pretty much all-but eliminated staying with Maui as a viable OS for me… & hence not only keeping my Lappy on TW, but next redoing Tower as a TW box too. I’d been hanging out for the new Maui release to cure a long-term chronic KWin crash problem that’s afflicted it [Maui] since day one… but alas when i upgraded yesterday to the new version, the problem continues undiminished. In contrast, TW’s KWin on Lappy, when tested in the specific use-mode that Maui can’t handle, passes with flying colours… rock solid, not even a whiff of KWin crashing. Today via a LiveUSB i made from “openSUSE_Krypton_stable.x86_64-5.10.90-Build15.1.iso”, I was delighted to discover that the same test-mode on Tower is equally solid, cf Maui’s KWin crash. It’s now almost certain therefore that i’ll be changing Tower from Maui to TW… in which case the entire subject of this post becomes moot. Fingers pensively crossed…