1 |
Michael wrote: |
2 |
> On Monday, 28 March 2022 04:59:04 BST Dale wrote: |
3 |
>> Michael wrote: |
4 |
>>> On Sunday, 27 March 2022 22:04:45 BST Dale wrote: |
5 |
>>>> That's sort of what I'm going to do. I'm going to divide things into |
6 |
>>>> sections with some encrypted and some not. |
7 |
>>> I wonder if all you want to do is to encrypt some directories on your |
8 |
>>> /home, then a different level of encryption would be more appropriate? |
9 |
>>> Instead of encrypting a whole block device, you could just encrypt a |
10 |
>>> directory tree or two, using ext4 encryption. e4crypt has been kicking |
11 |
>>> around for a few years now and it is meant to be an improvement on |
12 |
>>> eCryptfs. |
13 |
>>> |
14 |
>>> https://lwn.net/Articles/639427/ |
15 |
>>> |
16 |
>>> https://wiki.gentoo.org/wiki/Ext4_encryption |
17 |
>>> |
18 |
>>> WARNING: I'm not qualified to speak about this topic because my |
19 |
>>> experience is limited, but I'm interested all the same in reading your |
20 |
>>> approach and other contributors advice. |
21 |
>> That is the basic plan. I'll have /home as a normal open mount point. |
22 |
>> That way I can login without a encryption password being needed. After |
23 |
>> that, I plan to have other mount point(s) that are encrypted. |
24 |
> OK, that's a different plan to what I'm talking about. I am talking about |
25 |
> filesystem based encryption. |
26 |
> |
27 |
> You are talking about block device level encryption. Whether these other |
28 |
> mountpoints you want to encrypt are for normal partitions, LVM, what-ever, |
29 |
> you're dealing with whole block devices and mechanisms for encrypting these |
30 |
> block devices *before* a filesystem and data is even placed on them. |
31 |
> |
32 |
> With a filesystem level encryption you will be using the kernel's native |
33 |
> filesystem encryption and the fscrypt API to manage it. The sys-fs/fscrypt |
34 |
> userspace package can be used to manage the kernel based fscrypt API to |
35 |
> encrypt/decrypt some directories selectively within a filesystem. This can be |
36 |
> set up to happen transparently via PAM, using the user's login, if desired. |
37 |
> |
38 |
> You can read more about the kernel fscrypt mechanism here: |
39 |
> |
40 |
> https://www.kernel.org/doc/html/latest/filesystems/fscrypt.html |
41 |
> |
42 |
> For how to set it up and run it from userspace details are here: |
43 |
> |
44 |
> https://wiki.archlinux.org/title/Fscrypt |
45 |
> |
46 |
> |
47 |
>> It may be |
48 |
>> /home/dale/Data or something to that effect. I'm still doing some |
49 |
>> checking but the normal non-encrypted stuff should easily fit on a 6TB |
50 |
>> drive without encryption. I can then rebuild the two 8TB drives as |
51 |
>> encrypted mount points with a different volume group thingy. When I |
52 |
>> boot up, I can login in as usual then decrypt the other mount point and |
53 |
>> access it as needed or close it and it be encrypted until needed. |
54 |
> If you have 8TB of data you want encrypted, then a block level encryption |
55 |
> would make sense. However, if you only have a few MB or GB of data to encrypt |
56 |
> in a couple of directories, then it may be more appropriate to consider native |
57 |
> filesystem encryption with fscrypt. |
58 |
> |
59 |
> |
60 |
>> I've considered just encrypting /home completely but I don't have the |
61 |
>> option of closing it while I'm logged into KDE. KDE wouldn't be able to |
62 |
>> access /home/dale/.kde or .config plus if I leave Seamonkey open, it |
63 |
>> will want to store new emails to .mozilla as well. So, some things need |
64 |
>> to be available and I'm not to worried about them being encrypted |
65 |
>> anyway. So encrypting all of /home would be overkill plus would be a |
66 |
>> problem for some things too, such as Seamonkey and KDE. |
67 |
> With fscrypt you can run manually 'fscrypt lock Vault-for-Dale' and only the |
68 |
> directory 'Vault-for-Dale' with any files in it will be encrypted. All the |
69 |
> remaining fs will be left as it was. |
70 |
> |
71 |
> Anyway, I'm only mentioning this as an alternative to consider, in case it fits |
72 |
> your use case better than buying more disks and whole block device encryption |
73 |
> methods. |
74 |
|
75 |
|
76 |
I do that with another tool on occasion. Usually, it is a directory |
77 |
that has banking info etc in it. I just right click and tell it to |
78 |
encrypt it. It uses the same password as my encrypted email program. |
79 |
The claim is it is secure. |
80 |
|
81 |
Given the large sizes tho, doing this way seems best. Even the tool I |
82 |
use for small stuff wouldn't work well. |
83 |
|
84 |
I googled and was trying to find info on how long it will take to shrink |
85 |
from 20TB to around 12TBs or so. It didn't lead to much except for |
86 |
someone with some seriously large drives and it taking about a week to |
87 |
shrink. That's a problem. If it will even take a few hours, I need a |
88 |
new plan. Anyone have ideas on how long that will take? |
89 |
|
90 |
Dale |
91 |
|
92 |
:-) :-) |