[gentoo-user] crypt my home repository

[gentoo-user] crypt my home repository

[Stéphane Guedon]

[-- Attachment #1: Type: Text/Plain, Size: 646 bytes --]

Hi all

I may ask something already discussed, but I can't find any good documentation.
I am wondering of how to secure my home repository on my laptop. I am thinking 
of cryptography and other things (the password uncrypt the repository and 
allows to read files...).

What tool to use for ? Anybody knows a good doc (in french would be really 
good) ?

I am not really paranoïd, but I work now in a quite important environnement 
and want any data I get out to be secured...
-- 
Stéphane Guedon
http://www.22decembre.eu/
http://lectures.22decembre.eu/
carte de visite : http://www.22decembre.eu/downloads/Stephane-Guedon.vcf

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-user] crypt my home repository

[Kfir Lavi]

[-- Attachment #1: Type: text/plain, Size: 1130 bytes --]

On Mon, Jan 2, 2012 at 10:07 AM, Stéphane Guedon <stephane@22decembre.eu>wrote:

> Hi all
>
> I may ask something already discussed, but I can't find any good
> documentation.
> I am wondering of how to secure my home repository on my laptop. I am
> thinking
> of cryptography and other things (the password uncrypt the repository and
> allows to read files...).
>
> What tool to use for ? Anybody knows a good doc (in french would be really
> good) ?
>
> I am not really paranoïd, but I work now in a quite important environnement
> and want any data I get out to be secured...
> --
> Stéphane Guedon
> http://www.22decembre.eu/
> http://lectures.22decembre.eu/
> carte de visite : http://www.22decembre.eu/downloads/Stephane-Guedon.vcf
>

You can use 'encfs'. It is really trivial.
You need to create a directory where you will put the encrypted files like
this:
encfs ~/.encdir ~/workdir

Read this for a lot more info:
http://movingtofreedom.org/2007/02/21/howto-encfs-encrypted-file-system-in-ubuntu-and-fedora-gnu-linux/

But, what I told you is basically what you need.

Regards,
Kfir

[-- Attachment #2: Type: text/html, Size: 1834 bytes --]

Re: [gentoo-user] crypt my home repository

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 1721 bytes --]

Am 02.01.2012 09:07, schrieb Stéphane Guedon:
> Hi all
> 
> I may ask something already discussed, but I can't find any good documentation.
> I am wondering of how to secure my home repository on my laptop. I am thinking 
> of cryptography and other things (the password uncrypt the repository and 
> allows to read files...).
> 
> What tool to use for ? Anybody knows a good doc (in french would be really 
> good) ?
> 
> I am not really paranoïd, but I work now in a quite important environnement 
> and want any data I get out to be secured...

I recommend dm-crypt (a.k.a. cryptsetup-luks). It encrypts the block
device under the actual file system. Gentoo wiki has some tutorials on
it (although you don't need much of it): [1] [2]

If you only want to encrypt your home partition, you only need to follow
these steps:

1. Create an encrypted partition (see `man cryptsetup`)
2. Move /home/* over to it (don't forget backup)
3. Configure /etc/conf.d/dmcrypt
4. Add /etc/init.d/dmcrypt to boot runlevel

Then the init script will ask you for the password at boot. dm-crypt
allows multiple passwords per partition so that different users can have
different passwords.

The alternative to the dmcrypt init script is to use sys-auth/pam_mount.
It allows you to use the login password to automatically decrypt a
partition and mount it as /home/$user. [2] has a section about it.
However, this breaks easily and is pretty hard to administrate if you
have no experience with dm-crypt and pam. I recommend the first solution.

[1]
http://en.gentoo-wiki.com/wiki/SECURITY_System_Encryption_DM-Crypt_with_LUKS
[2] http://en.gentoo-wiki.com/wiki/DM-Crypt

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] crypt my home repository

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 1320 bytes --]

Am 02.01.2012 11:49, schrieb Florian Philipp:
> Am 02.01.2012 09:07, schrieb Stéphane Guedon:
>> Hi all
>>
>> I may ask something already discussed, but I can't find any good documentation.
>> I am wondering of how to secure my home repository on my laptop. I am thinking 
>> of cryptography and other things (the password uncrypt the repository and 
>> allows to read files...).
>>
>> What tool to use for ? Anybody knows a good doc (in french would be really 
>> good) ?
>>
>> I am not really paranoïd, but I work now in a quite important environnement 
>> and want any data I get out to be secured...
> 
> I recommend dm-crypt (a.k.a. cryptsetup-luks). It encrypts the block
> device under the actual file system. Gentoo wiki has some tutorials on
> it (although you don't need much of it): [1] [2]
> 
> If you only want to encrypt your home partition, you only need to follow
> these steps:
> 
> 1. Create an encrypted partition (see `man cryptsetup`)
> 2. Move /home/* over to it (don't forget backup)
> 3. Configure /etc/conf.d/dmcrypt
> 4. Add /etc/init.d/dmcrypt to boot runlevel
5. Add it to /etc/fstab (the 'target=' line in /etc/conf.d/dmcrypt
specifies the name).
> [...]

I recommend testing it with some easily recoverable file system like
/var/tmp or /usr/src/portage.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] crypt my home repository

[Stéphane Guedon]

[-- Attachment #1: Type: Text/Plain, Size: 2457 bytes --]

On Monday 02 January 2012 11:49:11 Florian Philipp wrote:
> Am 02.01.2012 09:07, schrieb Stéphane Guedon:
> > Hi all
> > 
> > I may ask something already discussed, but I can't find any good
> > documentation. I am wondering of how to secure my home repository on my
> > laptop. I am thinking of cryptography and other things (the password
> > uncrypt the repository and allows to read files...).
> > 
> > What tool to use for ? Anybody knows a good doc (in french would be
> > really good) ?
> > 
> > I am not really paranoïd, but I work now in a quite important
> > environnement and want any data I get out to be secured...
> 
> I recommend dm-crypt (a.k.a. cryptsetup-luks). It encrypts the block
> device under the actual file system. Gentoo wiki has some tutorials on
> it (although you don't need much of it): [1] [2]
> 
> If you only want to encrypt your home partition, you only need to follow
> these steps:
> 
> 1. Create an encrypted partition (see `man cryptsetup`)
> 2. Move /home/* over to it (don't forget backup)
> 3. Configure /etc/conf.d/dmcrypt
> 4. Add /etc/init.d/dmcrypt to boot runlevel
> 
> Then the init script will ask you for the password at boot. dm-crypt
> allows multiple passwords per partition so that different users can have
> different passwords.
> 
> The alternative to the dmcrypt init script is to use sys-auth/pam_mount.
> It allows you to use the login password to automatically decrypt a
> partition and mount it as /home/$user. [2] has a section about it.
> However, this breaks easily and is pretty hard to administrate if you
> have no experience with dm-crypt and pam. I recommend the first solution.
> 
> [1]
> http://en.gentoo-wiki.com/wiki/SECURITY_System_Encryption_DM-Crypt_with_LUK
> S [2] http://en.gentoo-wiki.com/wiki/DM-Crypt
> 
> Regards,
> Florian Philipp

Is this solution (the first one) easily integrated into some environnement 
(kde) ?

I don't want to have numerous password (one for decrypt, one other to open the 
desktop session as usual...), plus my wife would argue with some reason I am 
always hacking the computer whereas we are just using it to look movies... 
(she uses the computer also, but in a much more used way, so any solution has 
to be comfortable to her too !)

-- 
Stéphane Guedon
http://www.22decembre.eu/
http://lectures.22decembre.eu/
carte de visite : http://www.22decembre.eu/downloads/Stephane-Guedon.vcf

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-user] crypt my home repository

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 3255 bytes --]

Am 02.01.2012 12:36, schrieb Stéphane Guedon:
> On Monday 02 January 2012 11:49:11 Florian Philipp wrote:
>> Am 02.01.2012 09:07, schrieb Stéphane Guedon:
>>> Hi all
>>>
>>> I may ask something already discussed, but I can't find any good
>>> documentation. I am wondering of how to secure my home repository on my
>>> laptop. I am thinking of cryptography and other things (the password
>>> uncrypt the repository and allows to read files...).
>>>
>>> What tool to use for ? Anybody knows a good doc (in french would be
>>> really good) ?
>>>
>>> I am not really paranoïd, but I work now in a quite important
>>> environnement and want any data I get out to be secured...
>>
>> I recommend dm-crypt (a.k.a. cryptsetup-luks). It encrypts the block
>> device under the actual file system. Gentoo wiki has some tutorials on
>> it (although you don't need much of it): [1] [2]
>>
>> If you only want to encrypt your home partition, you only need to follow
>> these steps:
>>
>> 1. Create an encrypted partition (see `man cryptsetup`)
>> 2. Move /home/* over to it (don't forget backup)
>> 3. Configure /etc/conf.d/dmcrypt
>> 4. Add /etc/init.d/dmcrypt to boot runlevel
>>
>> Then the init script will ask you for the password at boot. dm-crypt
>> allows multiple passwords per partition so that different users can have
>> different passwords.
>>
>> The alternative to the dmcrypt init script is to use sys-auth/pam_mount.
>> It allows you to use the login password to automatically decrypt a
>> partition and mount it as /home/$user. [2] has a section about it.
>> However, this breaks easily and is pretty hard to administrate if you
>> have no experience with dm-crypt and pam. I recommend the first solution.
>>
>> [1]
>> http://en.gentoo-wiki.com/wiki/SECURITY_System_Encryption_DM-Crypt_with_LUK
>> S [2] http://en.gentoo-wiki.com/wiki/DM-Crypt
>>
>> Regards,
>> Florian Philipp
> 
> Is this solution (the first one) easily integrated into some environnement 
> (kde) ?
> 
> I don't want to have numerous password (one for decrypt, one other to open the 
> desktop session as usual...), plus my wife would argue with some reason I am 
> always hacking the computer whereas we are just using it to look movies... 
> (she uses the computer also, but in a much more used way, so any solution has 
> to be comfortable to her too !)
> 

Well, it is partially integrated: When it is not /home/* but some other
partition/external disk, then KDE supports decrypting it when you mount
it (like memory sticks). It can also save the password in kwallet. Gnome
can do the same. However, if you want to use it for /home/* and don't
want to enter the password twice, you should use pam_mount.

One alternative: the dmcrypt init script also supports key files. I
believe it is possible to put a key file on an USB stick and the init
script waits until the stick is attached, then mounts it and uses the
file to decrypt the partition. It's a poor man's smartcard, just without
a PIN.

That way, you don't need to enter the password, just take care of that
stick. You can also encrypt the key file with GPG, but then you need to
enter the password for that file.

Regards,
Florian Philipp



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] crypt my home repository

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 777 bytes --]

On Mon, 02 Jan 2012 13:37:12 +0100, Florian Philipp wrote:

> Well, it is partially integrated: When it is not /home/* but some other
> partition/external disk, then KDE supports decrypting it when you mount
> it (like memory sticks). It can also save the password in kwallet. Gnome
> can do the same. However, if you want to use it for /home/* and don't
> want to enter the password twice, you should use pam_mount.

Alternatively, if you are using dmcrypt to encrypt /home, and you are the
only user, set KDE to auto-login that user. The login will fail if
dmcrypt failed to open your home partition, so one password
effectively secures it all.


-- 
Neil Bothwick

What did the first man to discover you can get milk from cows think he
was doing? - anon.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] crypt my home repository

[Stéphane Guedon]

[-- Attachment #1: Type: Text/Plain, Size: 922 bytes --]

On Monday 02 January 2012 13:58:03 Neil Bothwick wrote:
> On Mon, 02 Jan 2012 13:37:12 +0100, Florian Philipp wrote:
> > Well, it is partially integrated: When it is not /home/* but some other
> > partition/external disk, then KDE supports decrypting it when you mount
> > it (like memory sticks). It can also save the password in kwallet. Gnome
> > can do the same. However, if you want to use it for /home/* and don't
> > want to enter the password twice, you should use pam_mount.
> 
> Alternatively, if you are using dmcrypt to encrypt /home, and you are the
> only user, set KDE to auto-login that user. The login will fail if
> dmcrypt failed to open your home partition, so one password
> effectively secures it all.

I am not the only user !

-- 
Stéphane Guedon
http://www.22decembre.eu/
http://lectures.22decembre.eu/
carte de visite : http://www.22decembre.eu/downloads/Stephane-Guedon.vcf

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-user] crypt my home repository

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 603 bytes --]

On Mon, 2 Jan 2012 14:12:31 +0100, Stéphane Guedon wrote:

> > Alternatively, if you are using dmcrypt to encrypt /home, and you are
> > the only user, set KDE to auto-login that user. The login will fail if
> > dmcrypt failed to open your home partition, so one password
> > effectively secures it all.  
> 
> I am not the only user !

In that case, you probably want to use encfs to encrypt each home
directory separately. dmcrypt works on block devices, so a single home
partition would have a single password.


-- 
Neil Bothwick

With free advice you often get what you pay for.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] crypt my home repository

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 778 bytes --]

Am 02.01.2012 14:29, schrieb Neil Bothwick:
> On Mon, 2 Jan 2012 14:12:31 +0100, Stéphane Guedon wrote:
> 
>>> Alternatively, if you are using dmcrypt to encrypt /home, and you are
>>> the only user, set KDE to auto-login that user. The login will fail if
>>> dmcrypt failed to open your home partition, so one password
>>> effectively secures it all.  
>>
>> I am not the only user !
> 
> In that case, you probably want to use encfs to encrypt each home
> directory separately. dmcrypt works on block devices, so a single home
> partition would have a single password.
> 
> 

dmcrypt supports multiple simultaneous passwords (I think 4 or something
like that). Of course, then every user can unlock every home directory
and auto-login is a no-go anyway.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] crypt my home repository

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 752 bytes --]

On Mon, 02 Jan 2012 15:26:10 +0100, Florian Philipp wrote:

> > In that case, you probably want to use encfs to encrypt each home
> > directory separately. dmcrypt works on block devices, so a single home
> > partition would have a single password.

> dmcrypt supports multiple simultaneous passwords (I think 4 or something
> like that). Of course, then every user can unlock every home directory

Which is why I recommended ecryptfs (I've only just noticed that the
previous posts mentioned encfs, that's a FUSE filesystem that is
unnecessary now the kernel have ecryptfs included).

It's not the multiple passwords, it's separately locking each user's
data.

-- 

Neil Bothwick

Guillotine operator wanted. Chance to get ahead.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] crypt my home repository

[Kfir Lavi]

[-- Attachment #1: Type: text/plain, Size: 993 bytes --]

On Mon, Jan 2, 2012 at 7:06 PM, Neil Bothwick <neil@digimed.co.uk> wrote:

> On Mon, 02 Jan 2012 15:26:10 +0100, Florian Philipp wrote:
>
> > > In that case, you probably want to use encfs to encrypt each home
> > > directory separately. dmcrypt works on block devices, so a single home
> > > partition would have a single password.
>
> > dmcrypt supports multiple simultaneous passwords (I think 4 or something
> > like that). Of course, then every user can unlock every home directory
>
> Which is why I recommended ecryptfs (I've only just noticed that the
> previous posts mentioned encfs, that's a FUSE filesystem that is
> unnecessary now the kernel have ecryptfs included).
>
>
Thanks,
I didn't know about that.
I'll try that, as I'm using encfs, and basically it works flawlessly.
But running without fuse, is better.

Kfir


> It's not the multiple passwords, it's separately locking each user's
> data.
>
> --
>
> Neil Bothwick
>
> Guillotine operator wanted. Chance to get ahead.
>

[-- Attachment #2: Type: text/html, Size: 1628 bytes --]

Re: [gentoo-user] crypt my home repository

[Stéphane Guedon]

[-- Attachment #1: Type: Text/Plain, Size: 885 bytes --]

On Monday 02 January 2012 09:07:49 Stéphane Guedon wrote:
> Hi all
> 
> I may ask something already discussed, but I can't find any good
> documentation. I am wondering of how to secure my home repository on my
> laptop. I am thinking of cryptography and other things (the password
> uncrypt the repository and allows to read files...).
> 
> What tool to use for ? Anybody knows a good doc (in french would be really
> good) ?
> 
> I am not really paranoïd, but I work now in a quite important environnement
> and want any data I get out to be secured...

Actually, there's ecryptfs, which is the one I was thinking but I didn't 
remember at the beginning.

But It's quite hard to use with the doc I find !

-- 
Stéphane Guedon
http://www.22decembre.eu/
http://lectures.22decembre.eu/
carte de visite : http://www.22decembre.eu/downloads/Stephane-Guedon.vcf

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]