[gentoo-user] Encrypted drive setup at login and locking on logout.

[gentoo-user] Encrypted drive setup at login and locking on logout.

[Dale]

[-- Attachment #1: Type: text/plain, Size: 1103 bytes --]

Howdy,

As some know, I been playing with encryption recently.  I got doing it
on the command line and using veracrypt for USB sticks down.  I use
Veracrypt for those that I want to work on windoze as well, I hope
anyway.  Now I'm moving on to something else. 

Now that I have a spare drive, I want to encrypt it and have a mount
point for it, /home/dale/documents for example.  What I'd like to do,
when I login in, it asks me for the encryption password and then mounts
it.  When I log out, it reverses.  I'm not doing all of /home because I
want to separate some info.  I may do it later. 

I did some googling but maybe my search terms aren't good enough.  I
mostly find for /home as a whole but not separate parts of it.  When I
add in Gentoo does some things differently, it may be that this isn't
even doable.  Also, my user password and password for the encryption
will be different.  I'm using KDE but anything that will work as part of
KDE or along with KDE will be fine with me. 

Does anyone have a howto they can link to?  Is this even doable? 

Thanks.

Dale

:-)  :-) 

[-- Attachment #2: Type: text/html, Size: 1435 bytes --]

Re: [gentoo-user] Encrypted drive setup at login and locking on logout.

[Francesco Turco]

On Sat, Jul 4, 2020, at 04:23, Dale wrote:
>  Now that I have a spare drive, I want to encrypt it and have a mount point for it, /home/dale/documents for example. What I'd like to do, when I login in, it asks me for the encryption password and then mounts it. When I log out, it reverses. I'm not doing all of /home because I want to separate some info. I may do it later. 

I would use LUKS (warning: all data on the spare drive will be lost):
0. Partition the spare drive: parted /dev/sdx
1. Format the drive's partition with LUKS: cryptsetup luksFormat /dev/sdxn
2. Decrypt the LUKS partition: cryptsetup luksOpen /dev/sdxn documents
3. Create a filesystem on the decrypted partition: mke2fs -t ext4 -m 0 /dev/mapper/documents
4. Add the new filesystem to /etc/fstab (use the UUID for easier matching)
5. Mount the filesystem: mount /home/dale/documents

In order to close the filesystem, you need the following steps:
1. Unmount the filesystem: umount /home/dale/documents
2. Lock the LUKS partition: cryptsetup luksClose documents

Since you use KDE you may try Vault instead, but I haven't tested that personally.

-- 
https://fturco.net/

Re: [gentoo-user] Encrypted drive setup at login and locking on logout.

[Michael]

[-- Attachment #1: Type: text/plain, Size: 1706 bytes --]

On Saturday, 4 July 2020 04:49:07 BST Francesco Turco wrote:
> On Sat, Jul 4, 2020, at 04:23, Dale wrote:
> >  Now that I have a spare drive, I want to encrypt it and have a mount
> >  point for it, /home/dale/documents for example. What I'd like to do,
> >  when I login in, it asks me for the encryption password and then mounts
> >  it. When I log out, it reverses. I'm not doing all of /home because I
> >  want to separate some info. I may do it later.
> I would use LUKS (warning: all data on the spare drive will be lost):
> 0. Partition the spare drive: parted /dev/sdx
> 1. Format the drive's partition with LUKS: cryptsetup luksFormat /dev/sdxn
> 2. Decrypt the LUKS partition: cryptsetup luksOpen /dev/sdxn documents
> 3. Create a filesystem on the decrypted partition: mke2fs -t ext4 -m 0
> /dev/mapper/documents 4. Add the new filesystem to /etc/fstab (use the UUID
> for easier matching) 5. Mount the filesystem: mount /home/dale/documents
> 
> In order to close the filesystem, you need the following steps:
> 1. Unmount the filesystem: umount /home/dale/documents
> 2. Lock the LUKS partition: cryptsetup luksClose documents
> 
> Since you use KDE you may try Vault instead, but I haven't tested that
> personally.

As I understand it the KDE Vaults is a filesystem-level encryption scheme, 
using CryFS or EncFS, one of which has had no independent security audit and 
the other which has had a number of security weaknesses reported.  Either way, 
they can be used to encrypt directories or individual files and are 
potentially useful for storing your encrypted data on the cloud - should you 
want to store your *private* and potentially precious data on someone else's 
computers.  o_O

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Encrypted drive setup at login and locking on logout.

[Dale]

[-- Attachment #1: Type: text/plain, Size: 1978 bytes --]

Dale wrote:
> Howdy,
>
> As some know, I been playing with encryption recently.  I got doing it
> on the command line and using veracrypt for USB sticks down.  I use
> Veracrypt for those that I want to work on windoze as well, I hope
> anyway.  Now I'm moving on to something else. 
>
> Now that I have a spare drive, I want to encrypt it and have a mount
> point for it, /home/dale/documents for example.  What I'd like to do,
> when I login in, it asks me for the encryption password and then
> mounts it.  When I log out, it reverses.  I'm not doing all of /home
> because I want to separate some info.  I may do it later. 
>
> I did some googling but maybe my search terms aren't good enough.  I
> mostly find for /home as a whole but not separate parts of it.  When I
> add in Gentoo does some things differently, it may be that this isn't
> even doable.  Also, my user password and password for the encryption
> will be different.  I'm using KDE but anything that will work as part
> of KDE or along with KDE will be fine with me. 
>
> Does anyone have a howto they can link to?  Is this even doable? 
>
> Thanks.
>
> Dale
>
> :-)  :-) 


Digging around I found these. 

[ebuild  N    ~] sys-fs/ecryptfs-utils-111_p20170609::gentoo  USE="gtk
nls pam -doc -gpg -openssl -pkcs11 -python -suid -tpm"
PYTHON_SINGLE_TARGET="python2_7" 1,401 KiB
[ebuild  N     ] sys-fs/cryptmount-5.3.2::gentoo  USE="gcrypt largefile
luks nls openssl udev -argv0switch -cswap -fsck -mount (-selinux)
-systemd" 533 KiB

Looking at the info I've found tho, I don't think it will do what I'm
looking for.  Has anyone used either of these in the past?  If so, does
one of these do what I'm looking for?

I'm surprised someone hasn't come up with this before.  Surely I'm not
the only one who would like a automatic way to decrypt, mount, umount
and encrypt with some sort of automated process.  Sort of like a USB
stick only with encryption. 

Dale

:-)  :-) 

[-- Attachment #2: Type: text/html, Size: 2792 bytes --]

Re: [gentoo-user] Encrypted drive setup at login and locking on logout.

[William Kenworthy]

Hi Dale, I looked at Veracrypt and ran into the fact that it on windows
Veracrypt MUST be installed by an administrator which is a blocker for
using USB keys on computers I don't control (such as transporting files
securely between locations - i.e., where there is potential to lose the
usb key):

see
https://www.veracrypt.fr/en/Using%20VeraCrypt%20Without%20Administrator%20Privileges.html

BillK


On 6/7/20 12:49 pm, Dale wrote:
> Dale wrote:
>> Howdy,
>>
>> As some know, I been playing with encryption recently.  I got doing
>> it on the command line and using veracrypt for USB sticks down.  I
>> use Veracrypt for those that I want to work on windoze as well, I
>> hope anyway.  Now I'm moving on to something else. 
>>
>> Now that I have a spare drive, I want to encrypt it and have a mount
>> point for it, /home/dale/documents for example.  What I'd like to do,
>> when I login in, it asks me for the encryption password and then
>> mounts it.  When I log out, it reverses.  I'm not doing all of /home
>> because I want to separate some info.  I may do it later. 
>>
>> I did some googling but maybe my search terms aren't good enough.  I
>> mostly find for /home as a whole but not separate parts of it.  When
>> I add in Gentoo does some things differently, it may be that this
>> isn't even doable.  Also, my user password and password for the
>> encryption will be different.  I'm using KDE but anything that will
>> work as part of KDE or along with KDE will be fine with me. 
>>
>> Does anyone have a howto they can link to?  Is this even doable? 
>>
>> Thanks.
>>
>> Dale
>>
>> :-)  :-) 
>
>
> Digging around I found these. 
>
> [ebuild  N    ~] sys-fs/ecryptfs-utils-111_p20170609::gentoo  USE="gtk
> nls pam -doc -gpg -openssl -pkcs11 -python -suid -tpm"
> PYTHON_SINGLE_TARGET="python2_7" 1,401 KiB
> [ebuild  N     ] sys-fs/cryptmount-5.3.2::gentoo  USE="gcrypt
> largefile luks nls openssl udev -argv0switch -cswap -fsck -mount
> (-selinux) -systemd" 533 KiB
>
> Looking at the info I've found tho, I don't think it will do what I'm
> looking for.  Has anyone used either of these in the past?  If so,
> does one of these do what I'm looking for?
>
> I'm surprised someone hasn't come up with this before.  Surely I'm not
> the only one who would like a automatic way to decrypt, mount, umount
> and encrypt with some sort of automated process.  Sort of like a USB
> stick only with encryption. 
>
> Dale
>
> :-)  :-) 

Re: [gentoo-user] Encrypted drive setup at login and locking on logout.

[Dale]

[-- Attachment #1: Type: text/plain, Size: 2299 bytes --]

William Kenworthy wrote:
> Hi Dale, I looked at Veracrypt and ran into the fact that it on windows
> Veracrypt MUST be installed by an administrator which is a blocker for
> using USB keys on computers I don't control (such as transporting files
> securely between locations - i.e., where there is potential to lose the
> usb key):
>
> see
> https://www.veracrypt.fr/en/Using%20VeraCrypt%20Without%20Administrator%20Privileges.html
>
> BillK
>

Does that mean that on windoze a person can open a encryted USB stick
without a password?  From what I read, it sounds like it doesn't put the
stick at risk, as long as you are not using key files or sharing your
password by storing it somewhere.  It just means you have to be admin to
install Veracrypt but not to access a encrypted USB stick.  From the way
it sounds, you insert USB stick, run Veracrypt, enter password, do what
you want with the stick, close it and then remove the stick.  Or am I
missing something? 

I might add, when I use cryptsetup and mount a external drive I use, I
do that as root.  Since my password is only in my head, no password, no
access root or not, right?

I'm new to this encrypted thing.  I'm learning but don't know all of it
and may never know all of it.  I figured out the other day that when I
select a two part or three part encryption, it actually encrypts the
thing twice or three times.  It's like having to pick two or three locks
on a door instead of one.  Only they have to be done in order and you
don't really have a way to know if you did it right until you figure out
the rest.  I bet that drives the NSA and other Govts nuts.  lol 

By the way, the USB stick will have instructions about things after I'm
buried or whatever.  I plan to keep the USB stick in a safe and share
the password with the person that will be taking care of things.  When
I'm gone, they can open the USB stick to access files on what to do and
such.  Until I'm gone, they won't know what is on the stick or have
access to it.  Getting older makes one think about these things.  :/ 
External drives will have things that when I'm gone, they gone too. 

I just wonder how many encryption tools have been cracked that we don't
know about.  It's not like they going to tell us or anything.

Dale

:-)  :-) 

[-- Attachment #2: Type: text/html, Size: 2978 bytes --]

Re: [gentoo-user] Encrypted drive setup at login and locking on logout.

[William Kenworthy]

[-- Attachment #1: Type: text/plain, Size: 2887 bytes --]


On 6/7/20 2:37 pm, Dale wrote:
> William Kenworthy wrote:
>> Hi Dale, I looked at Veracrypt and ran into the fact that it on windows
>> Veracrypt MUST be installed by an administrator which is a blocker for
>> using USB keys on computers I don't control (such as transporting files
>> securely between locations - i.e., where there is potential to lose the
>> usb key):
>>
>> see
>> https://www.veracrypt.fr/en/Using%20VeraCrypt%20Without%20Administrator%20Privileges.html
>>
>> BillK
>>
>
> Does that mean that on windoze a person can open a encryted USB stick
> without a password?  From what I read, it sounds like it doesn't put
> the stick at risk, as long as you are not using key files or sharing
> your password by storing it somewhere.  It just means you have to be
> admin to install Veracrypt but not to access a encrypted USB stick. 
> From the way it sounds, you insert USB stick, run Veracrypt, enter
> password, do what you want with the stick, close it and then remove
> the stick.  Or am I missing something? 
>
It means that an administrator must install veracrypt first - if you
cant do that, you cant access the stick.  It also makes the point that
any adminstrator will have access to the sticks data - not just the user
(same as root under Linux).  The blocker for me was that I could not get
veracrypt installed.

> I might add, when I use cryptsetup and mount a external drive I use, I
> do that as root.  Since my password is only in my head, no password,
> no access root or not, right?
>
Maybe, maybe not ...

> I'm new to this encrypted thing.  I'm learning but don't know all of
> it and may never know all of it.  I figured out the other day that
> when I select a two part or three part encryption, it actually
> encrypts the thing twice or three times.  It's like having to pick two
> or three locks on a door instead of one.  Only they have to be done in
> order and you don't really have a way to know if you did it right
> until you figure out the rest.  I bet that drives the NSA and other
> Govts nuts.  lol 
>
> By the way, the USB stick will have instructions about things after
> I'm buried or whatever.  I plan to keep the USB stick in a safe and
> share the password with the person that will be taking care of
> things.  When I'm gone, they can open the USB stick to access files on
> what to do and such.  Until I'm gone, they won't know what is on the
> stick or have access to it.  Getting older makes one think about these
> things.  :/  External drives will have things that when I'm gone, they
> gone too. 
>
Paper in a sealed envelope in a safe (bank safety deposit box etc) ...
too many things to go wrong with an encrypted USB.


> I just wonder how many encryption tools have been cracked that we
> don't know about.  It's not like they going to tell us or anything.
>
> Dale
>
> :-)  :-) 

Yep :)

BillK




[-- Attachment #2: Type: text/html, Size: 4298 bytes --]

Re: [gentoo-user] Encrypted drive setup at login and locking on logout.

[Dale]

[-- Attachment #1: Type: text/plain, Size: 3357 bytes --]

William Kenworthy wrote:
>
>
> On 6/7/20 2:37 pm, Dale wrote:
>> William Kenworthy wrote:
>>> Hi Dale, I looked at Veracrypt and ran into the fact that it on windows
>>> Veracrypt MUST be installed by an administrator which is a blocker for
>>> using USB keys on computers I don't control (such as transporting files
>>> securely between locations - i.e., where there is potential to lose the
>>> usb key):
>>>
>>> see
>>> https://www.veracrypt.fr/en/Using%20VeraCrypt%20Without%20Administrator%20Privileges.html
>>>
>>> BillK
>>>
>>
>> Does that mean that on windoze a person can open a encryted USB stick
>> without a password?  From what I read, it sounds like it doesn't put
>> the stick at risk, as long as you are not using key files or sharing
>> your password by storing it somewhere.  It just means you have to be
>> admin to install Veracrypt but not to access a encrypted USB stick. 
>> From the way it sounds, you insert USB stick, run Veracrypt, enter
>> password, do what you want with the stick, close it and then remove
>> the stick.  Or am I missing something? 
>>
> It means that an administrator must install veracrypt first - if you
> cant do that, you cant access the stick.  It also makes the point that
> any adminstrator will have access to the sticks data - not just the
> user (same as root under Linux).  The blocker for me was that I could
> not get veracrypt installed.
>

Ah I see what you are saying now.  It's a privately owned laptop so that
won't be a issue.  She may even use a desktop system. 


>> I might add, when I use cryptsetup and mount a external drive I use,
>> I do that as root.  Since my password is only in my head, no
>> password, no access root or not, right?
>>
> Maybe, maybe not ...
>
>> I'm new to this encrypted thing.  I'm learning but don't know all of
>> it and may never know all of it.  I figured out the other day that
>> when I select a two part or three part encryption, it actually
>> encrypts the thing twice or three times.  It's like having to pick
>> two or three locks on a door instead of one.  Only they have to be
>> done in order and you don't really have a way to know if you did it
>> right until you figure out the rest.  I bet that drives the NSA and
>> other Govts nuts.  lol 
>>
>> By the way, the USB stick will have instructions about things after
>> I'm buried or whatever.  I plan to keep the USB stick in a safe and
>> share the password with the person that will be taking care of
>> things.  When I'm gone, they can open the USB stick to access files
>> on what to do and such.  Until I'm gone, they won't know what is on
>> the stick or have access to it.  Getting older makes one think about
>> these things.  :/  External drives will have things that when I'm
>> gone, they gone too. 
>>
> Paper in a sealed envelope in a safe (bank safety deposit box etc) ...
> too many things to go wrong with an encrypted USB.
>
>

Don't have a bank safety deposit box and even if I get one, that will
cause issues when I kick the bucket. 


>> I just wonder how many encryption tools have been cracked that we
>> don't know about.  It's not like they going to tell us or anything.
>>
>> Dale
>>
>> :-)  :-) 
>
> Yep :)
>
> BillK
>

I'm just hoping the newer ones, after Snowden, don't have back doors
etc.  Now let us pray.  ;-)

Dale

:-)  :-) 

[-- Attachment #2: Type: text/html, Size: 5542 bytes --]

Re: [gentoo-user] Encrypted drive setup at login and locking on logout.

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 985 bytes --]

On Mon, 6 Jul 2020 17:05:48 +0800, William Kenworthy wrote:

> > By the way, the USB stick will have instructions about things after
> > I'm buried or whatever.  I plan to keep the USB stick in a safe and
> > share the password with the person that will be taking care of
> > things.  When I'm gone, they can open the USB stick to access files on
> > what to do and such.  Until I'm gone, they won't know what is on the
> > stick or have access to it.  Getting older makes one think about these
> > things.  :/  External drives will have things that when I'm gone, they
> > gone too. 
> >  
> Paper in a sealed envelope in a safe (bank safety deposit box etc) ...
> too many things to go wrong with an encrypted USB.

I too have a USB stick in the safe, but it's not encrypted. As you say,
too much to go wrong that way. I actually use 2 sticks, just in case one
of them corrupts.


-- 
Neil Bothwick

Barnum was wrong....it's more like every 30 seconds!

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Encrypted drive setup at login and locking on logout.

[Rich Freeman]

On Mon, Jul 6, 2020 at 5:05 AM William Kenworthy <billk@iinet.net.au> wrote:
>
>  It also makes the point that any adminstrator will have access to the sticks data - not just the user (same as root under Linux).

This is just a fundamental issue about how computers work.  If you
attach your storage media to a computer, then potentially anybody who
had either physical access or administrative access to that computer
before you can read the storage media.  If it is encrypted and you
enter the decryption key into the computer, then that includes the
encrypted data too.

There are of course operating systems that try to make this sort of
thing harder, but there are many ways to bypass this sort of thing at
either the hardware or software level.  If you are plugging your USB
drive into a computer you don't control, you really have no way to
know what hardware or software it is using.  It could contain hardware
keyloggers, the OS might be tampered with, if the device is supposed
to prevent OS tampering you don't know if the hardware was swapped out
with hardware that doesn't prevent tampering, and so on.  This is why
things like hardware password/key managers often implement a
minimalistic serial/keyboard interface - to prevent the host they are
plugged into from actually being able to directly access their secure
storage.

I realize that you already said that this is your own hardware - I
just wanted to point out this fundamental limitation.  This is one of
the reasons that when I select laptops/tablets I tend to select ones
that are very light/portable - the more likely I am to have it with me
the less likely I am to need to access my private data from systems I
don't control.

-- 
Rich

Re: [gentoo-user] Encrypted drive setup at login and locking on logout.

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 1193 bytes --]

On Sun, 5 Jul 2020 23:49:14 -0500, Dale wrote:

> Digging around I found these. 
> 
> [ebuild  N    ~] sys-fs/ecryptfs-utils-111_p20170609::gentoo  USE="gtk
> nls pam -doc -gpg -openssl -pkcs11 -python -suid -tpm"
> PYTHON_SINGLE_TARGET="python2_7" 1,401 KiB
> [ebuild  N     ] sys-fs/cryptmount-5.3.2::gentoo  USE="gcrypt largefile
> luks nls openssl udev -argv0switch -cswap -fsck -mount (-selinux)
> -systemd" 533 KiB
> 
> Looking at the info I've found tho, I don't think it will do what I'm
> looking for.  Has anyone used either of these in the past?  If so, does
> one of these do what I'm looking for?

ecryptfs-utils is the userland management of the kernel's ecryptfs.
Ecryptfs uses an overlay filesystem to encrypt files within a directory,
it is what Ubuntu uses for encrypted home directories

cryptmount is for working with LUKS filesystems, which appears to be the
route you are leaning towards. I haven't used it and don't know what
advantages it has over a user script, if you want to manually mount the
filesystem, or /etc/crypttab.


-- 
Neil Bothwick

/ For security reasons, all text in this mail
  is double-rot13 encrypted. /

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Encrypted drive setup at login and locking on logout.

[Dale]

[-- Attachment #1: Type: text/plain, Size: 1300 bytes --]

Neil Bothwick wrote:
> On Sun, 5 Jul 2020 23:49:14 -0500, Dale wrote:
>
>> Digging around I found these. 
>>
>> [ebuild  N    ~] sys-fs/ecryptfs-utils-111_p20170609::gentoo  USE="gtk
>> nls pam -doc -gpg -openssl -pkcs11 -python -suid -tpm"
>> PYTHON_SINGLE_TARGET="python2_7" 1,401 KiB
>> [ebuild  N     ] sys-fs/cryptmount-5.3.2::gentoo  USE="gcrypt largefile
>> luks nls openssl udev -argv0switch -cswap -fsck -mount (-selinux)
>> -systemd" 533 KiB
>>
>> Looking at the info I've found tho, I don't think it will do what I'm
>> looking for.  Has anyone used either of these in the past?  If so, does
>> one of these do what I'm looking for?
> ecryptfs-utils is the userland management of the kernel's ecryptfs.
> Ecryptfs uses an overlay filesystem to encrypt files within a directory,
> it is what Ubuntu uses for encrypted home directories
>
> cryptmount is for working with LUKS filesystems, which appears to be the
> route you are leaning towards. I haven't used it and don't know what
> advantages it has over a user script, if you want to manually mount the
> filesystem, or /etc/crypttab.
>
>

I thought Gentoo used /etc/conf.d/dmcypt?  I still haven't figured that
part out yet.  I need to read up on that more.  I'm not sure what it
does exactly, yet.

Dale

:-)  :-) 

[-- Attachment #2: Type: text/html, Size: 1745 bytes --]

Re: [gentoo-user] Encrypted drive setup at login and locking on logout.

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 999 bytes --]

On Mon, 6 Jul 2020 04:53:24 -0500, Dale wrote:

> > ecryptfs-utils is the userland management of the kernel's ecryptfs.
> > Ecryptfs uses an overlay filesystem to encrypt files within a
> > directory, it is what Ubuntu uses for encrypted home directories
> >
> > cryptmount is for working with LUKS filesystems, which appears to be
> > the route you are leaning towards. I haven't used it and don't know
> > what advantages it has over a user script, if you want to manually
> > mount the filesystem, or /etc/crypttab.

> I thought Gentoo used /etc/conf.d/dmcypt?  I still haven't figured that
> part out yet.  I need to read up on that more.  I'm not sure what it
> does exactly, yet.

It may do, I only encrypt everything-but-/boot or nothing at all.

For your use case, encrypting part of your home directory, ecryptfs may be
more suitable.


-- 
Neil Bothwick

Ralph's Observation - It is a mistake to allow any mechanical object
to realize that you are in a hurry.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]