On 2010-07-05 05:16 GMT michalng wrote:
>> if you want, I can explain the manual method
> - If you can spare the time, this will definitely be preferred. A good
> chance for learning 
Ok, here I go 
> One more question, assuming I’ve got the partition (/dev/sda3) all
> setup properly with encryption in openSUSE 11.2
> When the next openSUSE release comes out, how can I reuse (without
> reformating) the partition and keeping all data?
If you upgrade, you don’t have to do anything. If you install fresh,
provided you don’t delete the partition, you just need to add two
entries to two config files. However, this depends that the kernel
people and other dev don’t do some drastic change in the future, for
this we don’t have guarantees. There have been in the past, and I could
keep using the old partition and eventually reformat in the new style.
Who knows… Linux is a moving target.
> Is it advisable to setup /dev/sda3 as the /home folder so that I can
> safe the time of resetting up the accounts after every new
> reinstallation?
You mean having the encrypted partition sda3 as /home, everybody under
it? Yes, you can do that. Which is different than setting an encripted
home: with this, that user has his own encrypted home and is prompted
for the password when he logs in (I think, I don’t use that system).
The other method encrypts an entire partition and the password prompt
is asked for during boot.
Procedure:
optional: Erase and randomize the 1st 500 MB of partition (it can be
very slow)
time dd if=/dev/urandom of=/dev/sdXY bs=1M count=500
format encripted space:
time cryptsetup -v --key-size 256 luksFormat /dev/sdXY
it will ask for the pass phrase twice.
view info:
cryptsetup luksDump /dev/sdXY
open and associate with a mapped device:
cryptsetup luksOpen /dev/sdXY cr_some_name
view status:
cryptsetup status /dev/mapper/cr_some_name
create a file system on it. This example uses reiserfs, you can use
whatever you like.
mkfs.reiserfs -l A_LAbel /dev/mapper/cr_some_name
Verify:
file -s /dev/mapper/cr_some_name
cryptsetup status cr_some_name
remove association:
cryptsetup remove cr_some_name
Configuration files:
/etc/crypttab: (one line, it wraps on mail)
cr_some_name /dev/disk/by-uuid/whateveruuidthepartitionhas none
noauto
/etc/fstab: (one line)
/dev/mapper/cr_some_name /mountpoint reiserfs
noatime,user,noauto,acl,user_xattr,nofail 1 5
run:
rccrypto status
rccrypto start cr_some_name
rccrypto stop cr_some_name
automate on boot:
chkconfig boot.crypto
if off, then:
chkconfig boot.crypto on
and change the noauto to auto on crypttab.
Notice that if you give the wrong passphrase it will not tell you so,
the error is confusing (on purpose, I think). You have to look at the
logs to guess if it is a real error or a bad passphrase.
If you encript /home, and give a bad password, and booting continues,
you will not notice anything on the kdm/gdm prompt. Worse, you might be
able to log in… on an empty space. On the other hand, you can create,
on the root filesystem, a fake /home/ tree, with users and files, so
that if somebody steals your machine he will think that is what is
there to see. Only when you give the correct password will the real
home be mounted, on top of the fake one.
Also, beware that once mounted, although the on disk data is encrypted,
it is accessible, in clear, to any one having permission (unix style) to
read it.
HTH
If you encrypt external media, it is recognized on plug-in: both gnome
and kde should prompt for the passphrase. This is the advantage of the
LUKS type.
Another day I can explain how to create encrypted DVDs with this
method, if anybody is interested.
There is a trick I don’t know: the best recommended method is to have
both a password and a key on external media (usb stick, memory card,
whatever). To get at your data they would need those three things: the
encrypted data, the key, and the pass-phrase.
–
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 “Emerald” GM (Elessar))
