Re: [gentoo-user] crypt my home repository

[Florian Philipp <lists@binarywings.net>]

[-- Attachment #1: Type: text/plain, Size: 1721 bytes --]

Am 02.01.2012 09:07, schrieb Stéphane Guedon:
> Hi all
> 
> I may ask something already discussed, but I can't find any good documentation.
> I am wondering of how to secure my home repository on my laptop. I am thinking 
> of cryptography and other things (the password uncrypt the repository and 
> allows to read files...).
> 
> What tool to use for ? Anybody knows a good doc (in french would be really 
> good) ?
> 
> I am not really paranoïd, but I work now in a quite important environnement 
> and want any data I get out to be secured...

I recommend dm-crypt (a.k.a. cryptsetup-luks). It encrypts the block
device under the actual file system. Gentoo wiki has some tutorials on
it (although you don't need much of it): [1] [2]

If you only want to encrypt your home partition, you only need to follow
these steps:

1. Create an encrypted partition (see `man cryptsetup`)
2. Move /home/* over to it (don't forget backup)
3. Configure /etc/conf.d/dmcrypt
4. Add /etc/init.d/dmcrypt to boot runlevel

Then the init script will ask you for the password at boot. dm-crypt
allows multiple passwords per partition so that different users can have
different passwords.

The alternative to the dmcrypt init script is to use sys-auth/pam_mount.
It allows you to use the login password to automatically decrypt a
partition and mount it as /home/$user. [2] has a section about it.
However, this breaks easily and is pretty hard to administrate if you
have no experience with dm-crypt and pam. I recommend the first solution.

[1]
http://en.gentoo-wiki.com/wiki/SECURITY_System_Encryption_DM-Crypt_with_LUKS
[2] http://en.gentoo-wiki.com/wiki/DM-Crypt

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]