From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RhfTe-00044p-Ee for garchives@archives.gentoo.org; Mon, 02 Jan 2012 10:50:50 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9512521C0B6; Mon, 2 Jan 2012 10:50:41 +0000 (UTC) Received: from out5.smtp.messagingengine.com (out5.smtp.messagingengine.com [66.111.4.29]) by pigeon.gentoo.org (Postfix) with ESMTP id 24FB421C02E for ; Mon, 2 Jan 2012 10:49:23 +0000 (UTC) Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id D403020B75 for ; Mon, 2 Jan 2012 05:49:22 -0500 (EST) Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161]) by compute3.internal (MEProxy); Mon, 02 Jan 2012 05:49:22 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net; h=message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type; s=mesmtp; bh=S3cW2HRB+ruMY4zMQdgBe/ih znk=; b=idqSbBDm1xod/6L3YAtT+HqTl+wqCaSBsUloZ44jAi+5x6bYrOUIcQgH tv3vttKErQ7BPkYLXqLJPZTt3ijBNdm+NfvdiykiChU0GE8gRiXoxkz0MlUUrXU4 HSKneBENjaWy2tVC+gC6OuILaWmLfSHa0Kmis2HJCwW8Vhtx9Sk= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=S3cW 2HRB+ruMY4zMQdgBe/ihznk=; b=AgurNXYs6corARJeyoJhO0hOA+F3Z388S1Rp dOGFban8wdtNE/lf57JZEl0p9epRzUYHgOEjonrNA0zeL10RlmSJoa+f5/zRX4ig 3s2VELrHZaPnWnWq2nwkQimF0OwUZQgU5+vXS017hAHGXNuOBW/Jp5jwGwzcgcN5 HpP5ugQ= X-Sasl-enc: Hxk/kq6OVsTkavBOCBjf881g9zuQ3jqv1WwR2WyePci0 1325501361 Received: from [192.168.5.18] (serv.binarywings.net [83.169.5.6]) by mail.messagingengine.com (Postfix) with ESMTPSA id 8C24648261D for ; Mon, 2 Jan 2012 05:49:20 -0500 (EST) Message-ID: <4F018BA7.1000207@binarywings.net> Date: Mon, 02 Jan 2012 11:49:11 +0100 From: Florian Philipp User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111211 Thunderbird/8.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] crypt my home repository References: <201201020907.55698.stephane@22decembre.eu> In-Reply-To: <201201020907.55698.stephane@22decembre.eu> X-Enigmail-Version: 1.3.3 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig22E5C9183EC020BCF10D4BEB" X-Archives-Salt: 3c13ad26-15dc-499a-89be-bc5a0ebae822 X-Archives-Hash: f3f06b3d123533b5ae169701692b5cbf This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig22E5C9183EC020BCF10D4BEB Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 02.01.2012 09:07, schrieb St=C3=A9phane Guedon: > Hi all >=20 > I may ask something already discussed, but I can't find any good docume= ntation. > I am wondering of how to secure my home repository on my laptop. I am t= hinking=20 > of cryptography and other things (the password uncrypt the repository a= nd=20 > allows to read files...). >=20 > What tool to use for ? Anybody knows a good doc (in french would be rea= lly=20 > good) ? >=20 > I am not really parano=C3=AFd, but I work now in a quite important envi= ronnement=20 > and want any data I get out to be secured... I recommend dm-crypt (a.k.a. cryptsetup-luks). It encrypts the block device under the actual file system. Gentoo wiki has some tutorials on it (although you don't need much of it): [1] [2] If you only want to encrypt your home partition, you only need to follow these steps: 1. Create an encrypted partition (see `man cryptsetup`) 2. Move /home/* over to it (don't forget backup) 3. Configure /etc/conf.d/dmcrypt 4. Add /etc/init.d/dmcrypt to boot runlevel Then the init script will ask you for the password at boot. dm-crypt allows multiple passwords per partition so that different users can have different passwords. The alternative to the dmcrypt init script is to use sys-auth/pam_mount. It allows you to use the login password to automatically decrypt a partition and mount it as /home/$user. [2] has a section about it. However, this breaks easily and is pretty hard to administrate if you have no experience with dm-crypt and pam. I recommend the first solution.= [1] http://en.gentoo-wiki.com/wiki/SECURITY_System_Encryption_DM-Crypt_with_L= UKS [2] http://en.gentoo-wiki.com/wiki/DM-Crypt Regards, Florian Philipp --------------enig22E5C9183EC020BCF10D4BEB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8Bi6oACgkQqs4uOUlOuU+cCwCcDdtO3C9OyIIaeoLsRQgxy7Sb kMcAn2Kvq4wQqDUvgqu3feXEghB5z+v1 =tnZJ -----END PGP SIGNATURE----- --------------enig22E5C9183EC020BCF10D4BEB--