1 |
Am 02.01.2012 12:36, schrieb Stéphane Guedon: |
2 |
> On Monday 02 January 2012 11:49:11 Florian Philipp wrote: |
3 |
>> Am 02.01.2012 09:07, schrieb Stéphane Guedon: |
4 |
>>> Hi all |
5 |
>>> |
6 |
>>> I may ask something already discussed, but I can't find any good |
7 |
>>> documentation. I am wondering of how to secure my home repository on my |
8 |
>>> laptop. I am thinking of cryptography and other things (the password |
9 |
>>> uncrypt the repository and allows to read files...). |
10 |
>>> |
11 |
>>> What tool to use for ? Anybody knows a good doc (in french would be |
12 |
>>> really good) ? |
13 |
>>> |
14 |
>>> I am not really paranoïd, but I work now in a quite important |
15 |
>>> environnement and want any data I get out to be secured... |
16 |
>> |
17 |
>> I recommend dm-crypt (a.k.a. cryptsetup-luks). It encrypts the block |
18 |
>> device under the actual file system. Gentoo wiki has some tutorials on |
19 |
>> it (although you don't need much of it): [1] [2] |
20 |
>> |
21 |
>> If you only want to encrypt your home partition, you only need to follow |
22 |
>> these steps: |
23 |
>> |
24 |
>> 1. Create an encrypted partition (see `man cryptsetup`) |
25 |
>> 2. Move /home/* over to it (don't forget backup) |
26 |
>> 3. Configure /etc/conf.d/dmcrypt |
27 |
>> 4. Add /etc/init.d/dmcrypt to boot runlevel |
28 |
>> |
29 |
>> Then the init script will ask you for the password at boot. dm-crypt |
30 |
>> allows multiple passwords per partition so that different users can have |
31 |
>> different passwords. |
32 |
>> |
33 |
>> The alternative to the dmcrypt init script is to use sys-auth/pam_mount. |
34 |
>> It allows you to use the login password to automatically decrypt a |
35 |
>> partition and mount it as /home/$user. [2] has a section about it. |
36 |
>> However, this breaks easily and is pretty hard to administrate if you |
37 |
>> have no experience with dm-crypt and pam. I recommend the first solution. |
38 |
>> |
39 |
>> [1] |
40 |
>> http://en.gentoo-wiki.com/wiki/SECURITY_System_Encryption_DM-Crypt_with_LUK |
41 |
>> S [2] http://en.gentoo-wiki.com/wiki/DM-Crypt |
42 |
>> |
43 |
>> Regards, |
44 |
>> Florian Philipp |
45 |
> |
46 |
> Is this solution (the first one) easily integrated into some environnement |
47 |
> (kde) ? |
48 |
> |
49 |
> I don't want to have numerous password (one for decrypt, one other to open the |
50 |
> desktop session as usual...), plus my wife would argue with some reason I am |
51 |
> always hacking the computer whereas we are just using it to look movies... |
52 |
> (she uses the computer also, but in a much more used way, so any solution has |
53 |
> to be comfortable to her too !) |
54 |
> |
55 |
|
56 |
Well, it is partially integrated: When it is not /home/* but some other |
57 |
partition/external disk, then KDE supports decrypting it when you mount |
58 |
it (like memory sticks). It can also save the password in kwallet. Gnome |
59 |
can do the same. However, if you want to use it for /home/* and don't |
60 |
want to enter the password twice, you should use pam_mount. |
61 |
|
62 |
One alternative: the dmcrypt init script also supports key files. I |
63 |
believe it is possible to put a key file on an USB stick and the init |
64 |
script waits until the stick is attached, then mounts it and uses the |
65 |
file to decrypt the partition. It's a poor man's smartcard, just without |
66 |
a PIN. |
67 |
|
68 |
That way, you don't need to enter the password, just take care of that |
69 |
stick. You can also encrypt the key file with GPG, but then you need to |
70 |
enter the password for that file. |
71 |
|
72 |
Regards, |
73 |
Florian Philipp |