| 1 |
Michael wrote: |
| 2 |
> On Monday, 28 March 2022 04:59:04 BST Dale wrote: |
| 3 |
>> Michael wrote: |
| 4 |
>>> On Sunday, 27 March 2022 22:04:45 BST Dale wrote: |
| 5 |
>>>> That's sort of what I'm going to do. I'm going to divide things into |
| 6 |
>>>> sections with some encrypted and some not. |
| 7 |
>>> I wonder if all you want to do is to encrypt some directories on your |
| 8 |
>>> /home, then a different level of encryption would be more appropriate? |
| 9 |
>>> Instead of encrypting a whole block device, you could just encrypt a |
| 10 |
>>> directory tree or two, using ext4 encryption. e4crypt has been kicking |
| 11 |
>>> around for a few years now and it is meant to be an improvement on |
| 12 |
>>> eCryptfs. |
| 13 |
>>> |
| 14 |
>>> https://lwn.net/Articles/639427/ |
| 15 |
>>> |
| 16 |
>>> https://wiki.gentoo.org/wiki/Ext4_encryption |
| 17 |
>>> |
| 18 |
>>> WARNING: I'm not qualified to speak about this topic because my |
| 19 |
>>> experience is limited, but I'm interested all the same in reading your |
| 20 |
>>> approach and other contributors advice. |
| 21 |
>> That is the basic plan. I'll have /home as a normal open mount point. |
| 22 |
>> That way I can login without a encryption password being needed. After |
| 23 |
>> that, I plan to have other mount point(s) that are encrypted. |
| 24 |
> OK, that's a different plan to what I'm talking about. I am talking about |
| 25 |
> filesystem based encryption. |
| 26 |
> |
| 27 |
> You are talking about block device level encryption. Whether these other |
| 28 |
> mountpoints you want to encrypt are for normal partitions, LVM, what-ever, |
| 29 |
> you're dealing with whole block devices and mechanisms for encrypting these |
| 30 |
> block devices *before* a filesystem and data is even placed on them. |
| 31 |
> |
| 32 |
> With a filesystem level encryption you will be using the kernel's native |
| 33 |
> filesystem encryption and the fscrypt API to manage it. The sys-fs/fscrypt |
| 34 |
> userspace package can be used to manage the kernel based fscrypt API to |
| 35 |
> encrypt/decrypt some directories selectively within a filesystem. This can be |
| 36 |
> set up to happen transparently via PAM, using the user's login, if desired. |
| 37 |
> |
| 38 |
> You can read more about the kernel fscrypt mechanism here: |
| 39 |
> |
| 40 |
> https://www.kernel.org/doc/html/latest/filesystems/fscrypt.html |
| 41 |
> |
| 42 |
> For how to set it up and run it from userspace details are here: |
| 43 |
> |
| 44 |
> https://wiki.archlinux.org/title/Fscrypt |
| 45 |
> |
| 46 |
> |
| 47 |
>> It may be |
| 48 |
>> /home/dale/Data or something to that effect. I'm still doing some |
| 49 |
>> checking but the normal non-encrypted stuff should easily fit on a 6TB |
| 50 |
>> drive without encryption. I can then rebuild the two 8TB drives as |
| 51 |
>> encrypted mount points with a different volume group thingy. When I |
| 52 |
>> boot up, I can login in as usual then decrypt the other mount point and |
| 53 |
>> access it as needed or close it and it be encrypted until needed. |
| 54 |
> If you have 8TB of data you want encrypted, then a block level encryption |
| 55 |
> would make sense. However, if you only have a few MB or GB of data to encrypt |
| 56 |
> in a couple of directories, then it may be more appropriate to consider native |
| 57 |
> filesystem encryption with fscrypt. |
| 58 |
> |
| 59 |
> |
| 60 |
>> I've considered just encrypting /home completely but I don't have the |
| 61 |
>> option of closing it while I'm logged into KDE. KDE wouldn't be able to |
| 62 |
>> access /home/dale/.kde or .config plus if I leave Seamonkey open, it |
| 63 |
>> will want to store new emails to .mozilla as well. So, some things need |
| 64 |
>> to be available and I'm not to worried about them being encrypted |
| 65 |
>> anyway. So encrypting all of /home would be overkill plus would be a |
| 66 |
>> problem for some things too, such as Seamonkey and KDE. |
| 67 |
> With fscrypt you can run manually 'fscrypt lock Vault-for-Dale' and only the |
| 68 |
> directory 'Vault-for-Dale' with any files in it will be encrypted. All the |
| 69 |
> remaining fs will be left as it was. |
| 70 |
> |
| 71 |
> Anyway, I'm only mentioning this as an alternative to consider, in case it fits |
| 72 |
> your use case better than buying more disks and whole block device encryption |
| 73 |
> methods. |
| 74 |
|
| 75 |
|
| 76 |
I do that with another tool on occasion. Usually, it is a directory |
| 77 |
that has banking info etc in it. I just right click and tell it to |
| 78 |
encrypt it. It uses the same password as my encrypted email program. |
| 79 |
The claim is it is secure. |
| 80 |
|
| 81 |
Given the large sizes tho, doing this way seems best. Even the tool I |
| 82 |
use for small stuff wouldn't work well. |
| 83 |
|
| 84 |
I googled and was trying to find info on how long it will take to shrink |
| 85 |
from 20TB to around 12TBs or so. It didn't lead to much except for |
| 86 |
someone with some seriously large drives and it taking about a week to |
| 87 |
shrink. That's a problem. If it will even take a few hours, I need a |
| 88 |
new plan. Anyone have ideas on how long that will take? |
| 89 |
|
| 90 |
Dale |
| 91 |
|
| 92 |
:-) :-) |
Archives