From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Rhh9u-00072a-Ak for garchives@archives.gentoo.org; Mon, 02 Jan 2012 12:38:34 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A9F8E21C108; Mon, 2 Jan 2012 12:38:20 +0000 (UTC) Received: from out5.smtp.messagingengine.com (out5.smtp.messagingengine.com [66.111.4.29]) by pigeon.gentoo.org (Postfix) with ESMTP id E826921C0B4 for ; Mon, 2 Jan 2012 12:37:18 +0000 (UTC) Received: from compute2.internal (compute2.nyi.mail.srv.osa [10.202.2.42]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 98083204B3 for ; Mon, 2 Jan 2012 07:37:18 -0500 (EST) Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161]) by compute2.internal (MEProxy); Mon, 02 Jan 2012 07:37:18 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net; h=message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type; s=mesmtp; bh=oCdOzLwuEN9XBZa2DUyJwovt +38=; b=nAGkI7EEH7lKxzoxvBxIu0OhSmh0ogx0Wx4oAf/gSCqLu0RcERSWMAaL 0OWdKC4I6EI0WcZM+HnSxFAKHzz+sojIMKhg6NOOmqBc5izxP1WJMPiAuDu06Hjh 0aDxF2IPa3RW4cHPveokMPYt3GONMwfBTgA9qYxVEKkkEoWwCXY= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=oCdO zLwuEN9XBZa2DUyJwovt+38=; b=WNEgPnRAxNhy1twu88g6zj6OTODVyQxfjMJi tnEwLpCObG2tJEpm94uud+X7JQRInXr+50sU0csear7PLXGNa1+1bWU2JjBUAH5V jkgWLaSNFbJTXb5tkVI866QRbRSq2bjZeWqH6AGINXdv6P+7//xTDyhbYTqSggkk BSt97Mw= X-Sasl-enc: ajDQvnTGY5iQtX8NkmfLo7v8XFFtyHp7qPN0b40QawVW 1325507838 Received: from [192.168.5.18] (serv.binarywings.net [83.169.5.6]) by mail.messagingengine.com (Postfix) with ESMTPSA id 10A6B4827D5 for ; Mon, 2 Jan 2012 07:37:17 -0500 (EST) Message-ID: <4F01A4F8.50209@binarywings.net> Date: Mon, 02 Jan 2012 13:37:12 +0100 From: Florian Philipp User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111211 Thunderbird/8.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] crypt my home repository References: <201201020907.55698.stephane@22decembre.eu> <4F018BA7.1000207@binarywings.net> <201201021237.01284.stephane@22decembre.eu> In-Reply-To: <201201021237.01284.stephane@22decembre.eu> X-Enigmail-Version: 1.3.3 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigAEFA618793CB9895F58CFA02" X-Archives-Salt: bf324bcd-b09e-4043-b0df-b5d78adb644f X-Archives-Hash: b1cb7c8c44a38fbdc3b877ccb8cc32b4 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigAEFA618793CB9895F58CFA02 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 02.01.2012 12:36, schrieb St=C3=A9phane Guedon: > On Monday 02 January 2012 11:49:11 Florian Philipp wrote: >> Am 02.01.2012 09:07, schrieb St=C3=A9phane Guedon: >>> Hi all >>> >>> I may ask something already discussed, but I can't find any good >>> documentation. I am wondering of how to secure my home repository on = my >>> laptop. I am thinking of cryptography and other things (the password >>> uncrypt the repository and allows to read files...). >>> >>> What tool to use for ? Anybody knows a good doc (in french would be >>> really good) ? >>> >>> I am not really parano=C3=AFd, but I work now in a quite important >>> environnement and want any data I get out to be secured... >> >> I recommend dm-crypt (a.k.a. cryptsetup-luks). It encrypts the block >> device under the actual file system. Gentoo wiki has some tutorials on= >> it (although you don't need much of it): [1] [2] >> >> If you only want to encrypt your home partition, you only need to foll= ow >> these steps: >> >> 1. Create an encrypted partition (see `man cryptsetup`) >> 2. Move /home/* over to it (don't forget backup) >> 3. Configure /etc/conf.d/dmcrypt >> 4. Add /etc/init.d/dmcrypt to boot runlevel >> >> Then the init script will ask you for the password at boot. dm-crypt >> allows multiple passwords per partition so that different users can ha= ve >> different passwords. >> >> The alternative to the dmcrypt init script is to use sys-auth/pam_moun= t. >> It allows you to use the login password to automatically decrypt a >> partition and mount it as /home/$user. [2] has a section about it. >> However, this breaks easily and is pretty hard to administrate if you >> have no experience with dm-crypt and pam. I recommend the first soluti= on. >> >> [1] >> http://en.gentoo-wiki.com/wiki/SECURITY_System_Encryption_DM-Crypt_wit= h_LUK >> S [2] http://en.gentoo-wiki.com/wiki/DM-Crypt >> >> Regards, >> Florian Philipp >=20 > Is this solution (the first one) easily integrated into some environnem= ent=20 > (kde) ? >=20 > I don't want to have numerous password (one for decrypt, one other to o= pen the=20 > desktop session as usual...), plus my wife would argue with some reason= I am=20 > always hacking the computer whereas we are just using it to look movies= =2E..=20 > (she uses the computer also, but in a much more used way, so any soluti= on has=20 > to be comfortable to her too !) >=20 Well, it is partially integrated: When it is not /home/* but some other partition/external disk, then KDE supports decrypting it when you mount it (like memory sticks). It can also save the password in kwallet. Gnome can do the same. However, if you want to use it for /home/* and don't want to enter the password twice, you should use pam_mount. One alternative: the dmcrypt init script also supports key files. I believe it is possible to put a key file on an USB stick and the init script waits until the stick is attached, then mounts it and uses the file to decrypt the partition. It's a poor man's smartcard, just without a PIN. That way, you don't need to enter the password, just take care of that stick. You can also encrypt the key file with GPG, but then you need to enter the password for that file. Regards, Florian Philipp --------------enigAEFA618793CB9895F58CFA02 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8BpPwACgkQqs4uOUlOuU+YZwCdFb1kdfCwsvqaw+DxMzog+laH Pu8AoIEiYQ7RRhff0esxhxBXwGMyRL+U =4+2s -----END PGP SIGNATURE----- --------------enigAEFA618793CB9895F58CFA02--