1 |
On Monday, 28 March 2022 04:59:04 BST Dale wrote: |
2 |
> Michael wrote: |
3 |
> > On Sunday, 27 March 2022 22:04:45 BST Dale wrote: |
4 |
> >> That's sort of what I'm going to do. I'm going to divide things into |
5 |
> >> sections with some encrypted and some not. |
6 |
> > |
7 |
> > I wonder if all you want to do is to encrypt some directories on your |
8 |
> > /home, then a different level of encryption would be more appropriate? |
9 |
> > Instead of encrypting a whole block device, you could just encrypt a |
10 |
> > directory tree or two, using ext4 encryption. e4crypt has been kicking |
11 |
> > around for a few years now and it is meant to be an improvement on |
12 |
> > eCryptfs. |
13 |
> > |
14 |
> > https://lwn.net/Articles/639427/ |
15 |
> > |
16 |
> > https://wiki.gentoo.org/wiki/Ext4_encryption |
17 |
> > |
18 |
> > WARNING: I'm not qualified to speak about this topic because my |
19 |
> > experience is limited, but I'm interested all the same in reading your |
20 |
> > approach and other contributors advice. |
21 |
> |
22 |
> That is the basic plan. I'll have /home as a normal open mount point. |
23 |
> That way I can login without a encryption password being needed. After |
24 |
> that, I plan to have other mount point(s) that are encrypted. |
25 |
|
26 |
OK, that's a different plan to what I'm talking about. I am talking about |
27 |
filesystem based encryption. |
28 |
|
29 |
You are talking about block device level encryption. Whether these other |
30 |
mountpoints you want to encrypt are for normal partitions, LVM, what-ever, |
31 |
you're dealing with whole block devices and mechanisms for encrypting these |
32 |
block devices *before* a filesystem and data is even placed on them. |
33 |
|
34 |
With a filesystem level encryption you will be using the kernel's native |
35 |
filesystem encryption and the fscrypt API to manage it. The sys-fs/fscrypt |
36 |
userspace package can be used to manage the kernel based fscrypt API to |
37 |
encrypt/decrypt some directories selectively within a filesystem. This can be |
38 |
set up to happen transparently via PAM, using the user's login, if desired. |
39 |
|
40 |
You can read more about the kernel fscrypt mechanism here: |
41 |
|
42 |
https://www.kernel.org/doc/html/latest/filesystems/fscrypt.html |
43 |
|
44 |
For how to set it up and run it from userspace details are here: |
45 |
|
46 |
https://wiki.archlinux.org/title/Fscrypt |
47 |
|
48 |
|
49 |
> It may be |
50 |
> /home/dale/Data or something to that effect. I'm still doing some |
51 |
> checking but the normal non-encrypted stuff should easily fit on a 6TB |
52 |
> drive without encryption. I can then rebuild the two 8TB drives as |
53 |
> encrypted mount points with a different volume group thingy. When I |
54 |
> boot up, I can login in as usual then decrypt the other mount point and |
55 |
> access it as needed or close it and it be encrypted until needed. |
56 |
|
57 |
If you have 8TB of data you want encrypted, then a block level encryption |
58 |
would make sense. However, if you only have a few MB or GB of data to encrypt |
59 |
in a couple of directories, then it may be more appropriate to consider native |
60 |
filesystem encryption with fscrypt. |
61 |
|
62 |
|
63 |
> I've considered just encrypting /home completely but I don't have the |
64 |
> option of closing it while I'm logged into KDE. KDE wouldn't be able to |
65 |
> access /home/dale/.kde or .config plus if I leave Seamonkey open, it |
66 |
> will want to store new emails to .mozilla as well. So, some things need |
67 |
> to be available and I'm not to worried about them being encrypted |
68 |
> anyway. So encrypting all of /home would be overkill plus would be a |
69 |
> problem for some things too, such as Seamonkey and KDE. |
70 |
|
71 |
With fscrypt you can run manually 'fscrypt lock Vault-for-Dale' and only the |
72 |
directory 'Vault-for-Dale' with any files in it will be encrypted. All the |
73 |
remaining fs will be left as it was. |
74 |
|
75 |
Anyway, I'm only mentioning this as an alternative to consider, in case it fits |
76 |
your use case better than buying more disks and whole block device encryption |
77 |
methods. |