| 1 |
On Monday, 28 March 2022 04:59:04 BST Dale wrote: |
| 2 |
> Michael wrote: |
| 3 |
> > On Sunday, 27 March 2022 22:04:45 BST Dale wrote: |
| 4 |
> >> That's sort of what I'm going to do. I'm going to divide things into |
| 5 |
> >> sections with some encrypted and some not. |
| 6 |
> > |
| 7 |
> > I wonder if all you want to do is to encrypt some directories on your |
| 8 |
> > /home, then a different level of encryption would be more appropriate? |
| 9 |
> > Instead of encrypting a whole block device, you could just encrypt a |
| 10 |
> > directory tree or two, using ext4 encryption. e4crypt has been kicking |
| 11 |
> > around for a few years now and it is meant to be an improvement on |
| 12 |
> > eCryptfs. |
| 13 |
> > |
| 14 |
> > https://lwn.net/Articles/639427/ |
| 15 |
> > |
| 16 |
> > https://wiki.gentoo.org/wiki/Ext4_encryption |
| 17 |
> > |
| 18 |
> > WARNING: I'm not qualified to speak about this topic because my |
| 19 |
> > experience is limited, but I'm interested all the same in reading your |
| 20 |
> > approach and other contributors advice. |
| 21 |
> |
| 22 |
> That is the basic plan. I'll have /home as a normal open mount point. |
| 23 |
> That way I can login without a encryption password being needed. After |
| 24 |
> that, I plan to have other mount point(s) that are encrypted. |
| 25 |
|
| 26 |
OK, that's a different plan to what I'm talking about. I am talking about |
| 27 |
filesystem based encryption. |
| 28 |
|
| 29 |
You are talking about block device level encryption. Whether these other |
| 30 |
mountpoints you want to encrypt are for normal partitions, LVM, what-ever, |
| 31 |
you're dealing with whole block devices and mechanisms for encrypting these |
| 32 |
block devices *before* a filesystem and data is even placed on them. |
| 33 |
|
| 34 |
With a filesystem level encryption you will be using the kernel's native |
| 35 |
filesystem encryption and the fscrypt API to manage it. The sys-fs/fscrypt |
| 36 |
userspace package can be used to manage the kernel based fscrypt API to |
| 37 |
encrypt/decrypt some directories selectively within a filesystem. This can be |
| 38 |
set up to happen transparently via PAM, using the user's login, if desired. |
| 39 |
|
| 40 |
You can read more about the kernel fscrypt mechanism here: |
| 41 |
|
| 42 |
https://www.kernel.org/doc/html/latest/filesystems/fscrypt.html |
| 43 |
|
| 44 |
For how to set it up and run it from userspace details are here: |
| 45 |
|
| 46 |
https://wiki.archlinux.org/title/Fscrypt |
| 47 |
|
| 48 |
|
| 49 |
> It may be |
| 50 |
> /home/dale/Data or something to that effect. I'm still doing some |
| 51 |
> checking but the normal non-encrypted stuff should easily fit on a 6TB |
| 52 |
> drive without encryption. I can then rebuild the two 8TB drives as |
| 53 |
> encrypted mount points with a different volume group thingy. When I |
| 54 |
> boot up, I can login in as usual then decrypt the other mount point and |
| 55 |
> access it as needed or close it and it be encrypted until needed. |
| 56 |
|
| 57 |
If you have 8TB of data you want encrypted, then a block level encryption |
| 58 |
would make sense. However, if you only have a few MB or GB of data to encrypt |
| 59 |
in a couple of directories, then it may be more appropriate to consider native |
| 60 |
filesystem encryption with fscrypt. |
| 61 |
|
| 62 |
|
| 63 |
> I've considered just encrypting /home completely but I don't have the |
| 64 |
> option of closing it while I'm logged into KDE. KDE wouldn't be able to |
| 65 |
> access /home/dale/.kde or .config plus if I leave Seamonkey open, it |
| 66 |
> will want to store new emails to .mozilla as well. So, some things need |
| 67 |
> to be available and I'm not to worried about them being encrypted |
| 68 |
> anyway. So encrypting all of /home would be overkill plus would be a |
| 69 |
> problem for some things too, such as Seamonkey and KDE. |
| 70 |
|
| 71 |
With fscrypt you can run manually 'fscrypt lock Vault-for-Dale' and only the |
| 72 |
directory 'Vault-for-Dale' with any files in it will be encrypted. All the |
| 73 |
remaining fs will be left as it was. |
| 74 |
|
| 75 |
Anyway, I'm only mentioning this as an alternative to consider, in case it fits |
| 76 |
your use case better than buying more disks and whole block device encryption |
| 77 |
methods. |
Archives