Re: [gentoo-user] crypt my home repository

[Florian Philipp <lists@binarywings.net>]

[-- Attachment #1: Type: text/plain, Size: 3255 bytes --]

Am 02.01.2012 12:36, schrieb Stéphane Guedon:
> On Monday 02 January 2012 11:49:11 Florian Philipp wrote:
>> Am 02.01.2012 09:07, schrieb Stéphane Guedon:
>>> Hi all
>>>
>>> I may ask something already discussed, but I can't find any good
>>> documentation. I am wondering of how to secure my home repository on my
>>> laptop. I am thinking of cryptography and other things (the password
>>> uncrypt the repository and allows to read files...).
>>>
>>> What tool to use for ? Anybody knows a good doc (in french would be
>>> really good) ?
>>>
>>> I am not really paranoïd, but I work now in a quite important
>>> environnement and want any data I get out to be secured...
>>
>> I recommend dm-crypt (a.k.a. cryptsetup-luks). It encrypts the block
>> device under the actual file system. Gentoo wiki has some tutorials on
>> it (although you don't need much of it): [1] [2]
>>
>> If you only want to encrypt your home partition, you only need to follow
>> these steps:
>>
>> 1. Create an encrypted partition (see `man cryptsetup`)
>> 2. Move /home/* over to it (don't forget backup)
>> 3. Configure /etc/conf.d/dmcrypt
>> 4. Add /etc/init.d/dmcrypt to boot runlevel
>>
>> Then the init script will ask you for the password at boot. dm-crypt
>> allows multiple passwords per partition so that different users can have
>> different passwords.
>>
>> The alternative to the dmcrypt init script is to use sys-auth/pam_mount.
>> It allows you to use the login password to automatically decrypt a
>> partition and mount it as /home/$user. [2] has a section about it.
>> However, this breaks easily and is pretty hard to administrate if you
>> have no experience with dm-crypt and pam. I recommend the first solution.
>>
>> [1]
>> http://en.gentoo-wiki.com/wiki/SECURITY_System_Encryption_DM-Crypt_with_LUK
>> S [2] http://en.gentoo-wiki.com/wiki/DM-Crypt
>>
>> Regards,
>> Florian Philipp
> 
> Is this solution (the first one) easily integrated into some environnement 
> (kde) ?
> 
> I don't want to have numerous password (one for decrypt, one other to open the 
> desktop session as usual...), plus my wife would argue with some reason I am 
> always hacking the computer whereas we are just using it to look movies... 
> (she uses the computer also, but in a much more used way, so any solution has 
> to be comfortable to her too !)
> 

Well, it is partially integrated: When it is not /home/* but some other
partition/external disk, then KDE supports decrypting it when you mount
it (like memory sticks). It can also save the password in kwallet. Gnome
can do the same. However, if you want to use it for /home/* and don't
want to enter the password twice, you should use pam_mount.

One alternative: the dmcrypt init script also supports key files. I
believe it is possible to put a key file on an USB stick and the init
script waits until the stick is attached, then mounts it and uses the
file to decrypt the partition. It's a poor man's smartcard, just without
a PIN.

That way, you don't need to enter the password, just take care of that
stick. You can also encrypt the key file with GPG, but then you need to
enter the password for that file.

Regards,
Florian Philipp



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]