Re: Encrypting the home partition

There are probably a bunch of answers to this, and everyone has their own preference.

Mine is to encrypt during installation. I think this is the tutorial I used the first time:

http://www.howtoforge.com/encrypting...ion-ubuntu8.04

Be aware that encryption during install is only offered on the alternate CDs, and not with the liveCDs.

It should be possible to encrypt the current /home partition, but would destroy the current data on it, and probably need a bunch of configuration changes to make it automatically ask for the passphrase and mount. If it isn't a "can't install - ever" type situation, then to me the reinstall is easier.

Using the manual option and configuring each partition as "physical volume for encryption", as shown in the tutorial, allows the partitions to be accessed in the current system, and externally via the package cryptsetup in other systems - or as a second hard drive, or with a liveCD. The only requirement is to install the package cryptsetup [and the correct password].

With my system, booting with a liveCD, the access to the encrypted partition would proceed as follows:

1) sudo apt-get install cryptsetup - to install the package

2) sudo cryptsetup luksOpen /dev/sda3 old_home - the /dev/sda3 is the desired partition and old_home is the label that the partition will now be called. All decrypted partitions are labeled, and those labels are stored in /dev/mapper/ which maps the labels to the partitions. cryptsetup will then ask for the password.

3) sudo mount /dev/mapper/old_home /media/disk
this mounts the old partition to /media/disk and is now accessible as a regular partition at /media/disk. sudo is needed because it won't be in the /etc/fstab file, and only root can mount it.

To unmount and remove the drive manually [just shutting down takes care of all of this nicely as well] the two steps are:

a) sudo umount /media/disk

b) sudo cryptsetup luksClose /dev/mapper/old_home - the assigned label is needed to close, and no password is asked for.

During the regular boot with an encrypted system, it should ask for the password for the / partition, and then the /home partition, and won't give up until after 3 bad passwords, maybe more.

Slightly off-topic:

The neatest system I have ever found for this was opensuse 11 [.something?] about 1.5 to 2 years ago. I can't remember the exact version. What it did was ask for the password to the encrypted /home partition 3 times, but if the password never worked, it would use the unencrypted /home partition on the / partition and boot up normally. I can't remember if the original users were preserved/carried over or not, but it actually had 2 usable /home partitions - the encrypted one that mounted with the correct password and one for without/wrong password.

I could then set up the system, give it to the client - with complete access - and not worry about anything on the encrypted partition being destroyed. In one case, I had work for 3 projects on it, but just copied the current project work into the second /home partition, and away it went - safe and secure, with a known hardware and software configuration.

*buntu doesn't do this naturally. It just drops into a command prompt and won't boot into graphics mode -which is proper, considering the /home that is presented to it on the / partition is very blank. I suppose I could set it up like opensuse, but haven't had to do that since. But it was an interesting find at the time.

Re: Encrypting the home partition

Thanks for the info. In view of what you say it's probably better for me to do it when I upgrade to Lucid, going the straight install route. Can you just clarify one thing though please - when booting up (I use auto-login) I perceive you suggest it will be necessary on each occasion to enter the encryption password? If I were not using auto-login I would then need to do 2 password entries, which would need to be different otherwise there would be no point in encryption?

Thanks

Ian

Re: Encrypting the home partition

I haven't ever tried to set up the encryption password to be automatically entered. I would imagine that to kind of defeat the purpose, actually. The only two ways I can think of right now are either the manual passphrase, or a key file - like on a usb drive. I suppose the key file could be on the drive - but that also poses security risks.

Here is an older website that does some different tricks:

http://polishlinux.org/howtos/encryp...tion-in-linux/

I think most of the compiling instructions may be obsolete - or accomplished through apt.

I don't know how the Dell bios/hard drive password works, or if it actually locks the drive, but the problem with trying to not have to manually enter the key is that the disk contents may be accessible with a liveCD as root. If the passwords is stored somewhere in the open, the encryption is really not even there.

The above website talks about [I found it a little hard to follow] matching the encrypted home partition passphrase with the user password. That would provide some added security vs a non-encrypted partition, but it is less security than different passwords, though the risk will depend on the use. The comments on the website talk about one way to auto mount the /home partition as well as auto-login, but that method uses an encrypted root partition to protect that passphrase - but the passphrase for the / partition needs to be entered during boot, so there won't be any gain.

The encrypted partitions [definitely / and /home] mount before the gui boots, so the user auto-login should still work, but the passphrase for the encrypted partition is needed on each boot - either manually typed or in a key file.

The passwords do not need to be different - again, depending on the use - because they do two different things. Higher security needs would suggest using different passwords, though.