ACC SHELL
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Encrypting Partitions and Files</title><link rel="stylesheet" href="susebooks.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Documentation"><link rel="up" href="part.local_security.html" title="Part II. Local Security"><link rel="prev" href="cha.security.acls.html" title="Chapter 10. Access Control Lists in Linux"><link rel="next" href="cha.aide.html" title="Chapter 12. Intrusion Detection with AIDE"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.local_security.html">Local Security</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 10. Access Control Lists in Linux" href="cha.security.acls.html"><span>◀</span></a> <a accesskey="n" title="Chapter 12. Intrusion Detection with AIDE" href="cha.aide.html"><span>▶</span></a></strong></p></div></td></tr></table></div><div class="chapter" title="Chapter 11. Encrypting Partitions and Files"><div class="titlepage"><div><div><h2 class="title"><a name="cha.security.cryptofs"></a>Chapter 11. Encrypting Partitions and Files<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#cha.security.cryptofs">¶</a></span></h2></div></div></div><div class="toc"><p><b>Contents</b></p><dl><dt><span class="sect1"><a href="cha.security.cryptofs.html#sec.security.cryptofs.y2">11.1. Setting Up an Encrypted File System with YaST</a></span></dt><dt><span class="sect1"><a href="cha.security.cryptofs.html#sec.security.cryptofs.y2.homes">11.2. Using Encrypted Home Directories</a></span></dt><dt><span class="sect1"><a href="cha.security.cryptofs.html#sec.security.cryptofs.vi">11.3. Using vi to Encrypt Single ASCII Text Files</a></span></dt></dl></div><a class="indexterm" name="idx.encrypting"></a><a class="indexterm" name="id585515"></a><a class="indexterm" name="id585524"></a><p>
Most users have some confidential data on their computer that third
parties should not be able to access. The more you rely on mobile
computing and on working in different environments and networks, the more
carefully you should handle your data. The encryption of files or entire
partitions is recommended if others have network or physical access to
your system. Laptops or removable media, such as external hard disks or
USB sticks, are prone to being lost or stolen. Thus, it is recommended to
encrypt the parts of your filesystem that hold confidential data.
</p><p>
There are several ways to protect your data by means of encryption:
</p><div class="variablelist"><dl><dt><span class="term">Encrypting a Hard Disk Partition</span></dt><dd><p>
You can create an encrypted partition with YaST during installation
or in an already installed system. Refer to
<a class="xref" href="cha.security.cryptofs.html#sec.security.cryptofs.y2.part_inst" title="11.1.1. Creating an Encrypted Partition during Installation">Section 11.1.1, “Creating an Encrypted Partition during Installation”</a> and
<a class="xref" href="cha.security.cryptofs.html#sec.security.cryptofs.y2.part_run" title="11.1.2. Creating an Encrypted Partition on a Running System">Section 11.1.2, “Creating an Encrypted Partition on a Running System”</a> for details. This
option can also be used for removable media, such as external hard
disks, as described in
<a class="xref" href="cha.security.cryptofs.html#sec.security.cryptofs.y2.removables" title="11.1.4. Encrypting the Content of Removable Media">Section 11.1.4, “Encrypting the Content of Removable Media”</a>.
</p></dd><dt><span class="term">Creating an Encrypted File as Container</span></dt><dd><p>
You can create an encrypted file on your hard disk or on a removable
medium with YaST at any time. The encrypted file can then be used to
<span class="emphasis"><em>store</em></span> other files or folders. For more
information, refer to
<a class="xref" href="cha.security.cryptofs.html#sec.security.cryptofs.y2.container" title="11.1.3. Creating an Encrypted File as a Container">Section 11.1.3, “Creating an Encrypted File as a Container”</a>.
</p></dd><dt><span class="term">Encrypting Home Directories</span></dt><dd><p>
With openSUSE, you can also create encrypted user home
directories. When the user logs in to the system, the encrypted home
directory is mounted and the contents are made available to the user.
Refer to <a class="xref" href="cha.security.cryptofs.html#sec.security.cryptofs.y2.homes" title="11.2. Using Encrypted Home Directories">Section 11.2, “Using Encrypted Home Directories”</a> for more
information.
</p></dd><dt><span class="term">Encrypting Single ASCII Text Files</span></dt><dd><p>
If you only have a small number of ASCII text files that hold sensitive
or confidential data, you can encrypt them individually and protect
them with a password using Kgpg or the vi editor. Refer to
<span>Section “The KGpg Editor” (Chapter 7, <i>Encryption with KGpg</i>, ↑Application Guide)</span> and
<a class="xref" href="cha.security.cryptofs.html#sec.security.cryptofs.vi" title="11.3. Using vi to Encrypt Single ASCII Text Files">Section 11.3, “Using vi to Encrypt Single ASCII Text Files”</a> for more information.
</p></dd></dl></div><div class="warning"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Warning: Encrypted Media Offers Limited Protection"><tr class="head"><td width="32"><img alt="[Warning]" src="admon/warning.png"></td><th align="left">Encrypted Media Offers Limited Protection</th></tr><tr><td colspan="2" align="left" valign="top"><p>
The methods described in this chapter offer only a limited protection.
You cannot protect your running system from being compromised. After the
encrypted medium is successfully mounted, everybody with appropriate
permissions has access to it. However, encrypted media are useful in case
of loss or theft of your computer, or to prevent unauthorized individuals
from reading your confidential data.
</p></td></tr></table></div><div class="sect1" title="11.1. Setting Up an Encrypted File System with YaST"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.cryptofs.y2"></a>11.1. Setting Up an Encrypted File System with YaST<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.cryptofs.y2">¶</a></span></h2></div></div></div><a class="indexterm" name="idx.encrypting.partitions"></a><a class="indexterm" name="id585702"></a><p>
Use YaST to encrypt partitions or parts of your file system during
installation or in an already installed system. However, encrypting a
partition in an already-installed system is more difficult, because
you have to resize and change existing partitions. In such cases, it
may be more convenient to create an encrypted file of a defined
region, in which to <span class="emphasis"><em>store</em></span> other files or parts of
your file system. To encrypt an entire partition, dedicate a
partition for encryption in the partition layout. The standard
partitioning proposal as suggested by YaST, does not include an
encrypted partition by default. Add it manually in the partitioning
dialog.
</p><div class="sect2" title="11.1.1. Creating an Encrypted Partition during Installation"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.cryptofs.y2.part_inst"></a>11.1.1. Creating an Encrypted Partition during Installation<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.cryptofs.y2.part_inst">¶</a></span></h3></div></div></div><a class="indexterm" name="id585733"></a><a class="indexterm" name="id585742"></a><div class="warning"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Warning: Password Input"><tr class="head"><td width="32"><img alt="[Warning]" src="admon/warning.png"></td><th align="left">Password Input</th></tr><tr><td colspan="2" align="left" valign="top"><p>
Make sure to memorize the password for your encrypted partitions well.
Without that password, you cannot access or restore the encrypted data.
</p></td></tr></table></div><p>
The YaST expert dialog for partitioning offers the options needed for
creating an encrypted partition. To create a new encrypted partition
proceed as follows:
</p><div class="procedure"><ol class="procedure" type="1"><li><p>
Run the YaST Expert Partitioner with
<span class="guimenu">Computer</span>+<span class="guimenu">System</span>+<span class="guimenu">Partitioner</span>.
</p></li><li><p>
Select a harddisk, click <span class="guimenu">Add</span>, and select a primary
or an extended partition.
</p></li><li><p>
Select the partition size or the region to use on the disk.
</p></li><li><p>
Select the file system, and mount point of this partition.
</p></li><li><p>
Activate the <span class="guimenu">Encrypt device</span> check box.
</p><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note: Additional Software Required"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left">Additional Software Required</th></tr><tr><td colspan="2" align="left" valign="top"><p>
After checking <span class="guimenu">Encrypt device</span>, a popup window
asking for installing additional software may appear. Confirm to
install all the required packages to ensure that the encrypted
partition works well.
</p></td></tr></table></div></li><li><p>
Click <span class="guimenu">Next</span> and enter a password which is used to
encrypt this partition. This password is not displayed. To prevent
typing errors, you need to enter the password twice.
</p></li><li><p>
Complete the process by clicking <span class="guimenu">Finish</span>. The
newly-encrypted partition is now created.
</p><p>
When you need to mount an encrypted partition, open your file
manager and click on the partition entry in the pane listing common
places on your filesystem. You will be prompted for a password and the
partition will be mounted.
</p></li></ol></div><p>
When you are installing your system on a machine where
partitions already exist, you can also decide to encrypt an existing
partition during installation. In this case follow the description in
<a class="xref" href="cha.security.cryptofs.html#sec.security.cryptofs.y2.part_run" title="11.1.2. Creating an Encrypted Partition on a Running System">Section 11.1.2, “Creating an Encrypted Partition on a Running System”</a> and be aware that
this action destroys all data on the existing partition.
</p></div><div class="sect2" title="11.1.2. Creating an Encrypted Partition on a Running System"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.cryptofs.y2.part_run"></a>11.1.2. Creating an Encrypted Partition on a Running System<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.cryptofs.y2.part_run">¶</a></span></h3></div></div></div><a class="indexterm" name="id585913"></a><div class="warning"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Warning: Activating Encryption on a Running System"><tr class="head"><td width="32"><img alt="[Warning]" src="admon/warning.png"></td><th align="left">Activating Encryption on a Running System</th></tr><tr><td colspan="2" align="left" valign="top"><p>
It is also possible to create encrypted partitions on a running system.
However, encrypting an existing partition destroys all data on it, and
requires resizing and restructuring of existing partitions.
</p></td></tr></table></div><p>
On a running system, select <span class="guimenu">System</span>+<span class="guimenu">Partitioner</span> in the YaST Control
Center. Click <span class="guimenu">Yes</span> to proceed. In the <span class="guimenu">Expert
Partitioner</span>, select the partition to encrypt and
click <span class="guimenu">Edit</span>. The rest of the procedure is the same as
described in <a class="xref" href="cha.security.cryptofs.html#sec.security.cryptofs.y2.part_inst" title="11.1.1. Creating an Encrypted Partition during Installation">Section 11.1.1, “Creating an Encrypted Partition during Installation”</a>.
</p><a class="indexterm" name="id585967"></a></div><div class="sect2" title="11.1.3. Creating an Encrypted File as a Container"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.cryptofs.y2.container"></a>11.1.3. Creating an Encrypted File as a Container<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.cryptofs.y2.container">¶</a></span></h3></div></div></div><a class="indexterm" name="id585984"></a><a class="indexterm" name="idx.encrypting.files"></a><p>
Instead of using a partition, it is possible to create an encrypted file,
which can hold other files or folders containing confidential data. Such
container files are created from the YaST Expert Partitioner dialog.
Select <span class="guimenu">Crypt Files</span>+<span class="guimenu">Add Crypt
File</span> and enter the full path to the file and its
size. If YaST should create the container file, activate the checkbox
<span class="guimenu">Create Loop File</span>. Accept or change the proposed
formatting settings and the file system type. Specify the mount point
and make sure that <span class="guimenu">Encrypt Device</span> is checked.
</p><p>
Click <span class="guimenu">Next</span>, enter your password for decrypting the
file, and confirm with <span class="guimenu">Finish</span>.
</p><p>
The advantage of encrypted container files over encrypted partitions is
that they can be added without repartitioning the hard disk. They are
mounted with the help of a loop device and behave just like normal
partitions.
</p></div><div class="sect2" title="11.1.4. Encrypting the Content of Removable Media"><div class="titlepage"><div><div><h3 class="title"><a name="sec.security.cryptofs.y2.removables"></a>11.1.4. Encrypting the Content of Removable Media<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.cryptofs.y2.removables">¶</a></span></h3></div></div></div><a class="indexterm" name="idx.encrypting.remmedia"></a><p>
YaST treats removable media (like external hard disks or USB flash
drives) the same as any other hard disk. Container files or partitions
on such media can be encrypted as described above. Do not, however,
enable mounting at boot time, because removable media are usually only
connected while the system is running.
</p><p>
If you encrypted your removable device with YaST, the KDE and GNOME
desktops automatically recognize the encrypted partition and prompt for
the password when the device is detected. If you plug in a FAT formatted
removable device while running KDE or GNOME, the desktop user entering
the password automatically becomes the owner of the device and can read
and write files. For devices with a file system other than FAT, change
the ownership explicitly for users other than <code class="systemitem">root</code> to enable these
users to read or write files on the device.
</p><a class="indexterm" name="id586093"></a></div></div><div class="sect1" title="11.2. Using Encrypted Home Directories"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.cryptofs.y2.homes"></a>11.2. Using Encrypted Home Directories<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.cryptofs.y2.homes">¶</a></span></h2></div></div></div><p>
To protect data in home directories from being stolen and consequent
unauthorized access, use the YaST user management module to enable
encryption of home directories. You can create encrypted home directories
for new or existing users. To encrypt or decrypt home directories of
already existing users, you need to know their login password. See
Section “Managing Encrypted Home Directories” (Chapter 8, <i>Managing Users with YaST</i>, ↑Reference) for instructions.
</p><p>
Encrypted home partitions are created within a file container as
described in <a class="xref" href="cha.security.cryptofs.html#sec.security.cryptofs.y2.container" title="11.1.3. Creating an Encrypted File as a Container">Section 11.1.3, “Creating an Encrypted File as a Container”</a>. Two
files are created under <code class="filename">/home</code> for each encrypted
home directory:
</p><div class="variablelist"><dl><dt><span class="term"><code class="filename"><em class="replaceable"><code>LOGIN</code></em>.img</code>
</span></dt><dd><p>
The image holding the directory
</p></dd><dt><span class="term"><code class="filename"><em class="replaceable"><code>LOGIN</code></em>.key</code>
</span></dt><dd><p>
The image key, protected with the user's login password.
</p></dd></dl></div><p>
On login, the home directory automatically gets decrypted. Internally, it
works through the pam module called <span class="emphasis"><em>pam_mount</em></span>. If
you need to add an additional login method that provides encrypted home
directories, you have to add this module to the respective configuration
file in <code class="filename">/etc/pam.d/</code>. For more information see also
<a class="xref" href="cha.pam.html" title="Chapter 2. Authentication with PAM">Chapter 2, <i>Authentication with PAM</i></a> and the man page of <code class="option">pam_mount</code>.
</p><div class="warning"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Warning: Security Restrictions"><tr class="head"><td width="32"><img alt="[Warning]" src="admon/warning.png"></td><th align="left">Security Restrictions</th></tr><tr><td colspan="2" align="left" valign="top"><p>
Encrypting a user's home directory does not provide strong security from
other users. If strong security is required, the system should not be
shared physically.
</p><p>
To enhance security, also encrypt the <code class="filename">swap</code>
partition and the <code class="filename">/tmp</code> and
<code class="filename">/var/tmp</code> directories, because these may contain
temporary images of critical data. You can encrypt
<code class="filename">swap</code>, <code class="filename">/tmp</code>, and
<code class="filename">/var/tmp</code> with the YaST partitioner as described
in <a class="xref" href="cha.security.cryptofs.html#sec.security.cryptofs.y2.part_inst" title="11.1.1. Creating an Encrypted Partition during Installation">Section 11.1.1, “Creating an Encrypted Partition during Installation”</a> or
<a class="xref" href="cha.security.cryptofs.html#sec.security.cryptofs.y2.container" title="11.1.3. Creating an Encrypted File as a Container">Section 11.1.3, “Creating an Encrypted File as a Container”</a>.
</p></td></tr></table></div></div><div class="sect1" title="11.3. Using vi to Encrypt Single ASCII Text Files"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.security.cryptofs.vi"></a>11.3. Using vi to Encrypt Single ASCII Text Files<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.security.cryptofs.vi">¶</a></span></h2></div></div></div><a class="indexterm" name="id586262"></a><p>
The disadvantage of using encrypted partitions is obvious: While the
partition is mounted, at least
<code class="systemitem">root</code> can access the data. To
prevent this, vi can be used in encrypted mode.
</p><p>
Use <span class="command"><strong>vi <code class="option">-x</code>
<em class="replaceable"><code>filename</code></em></strong></span> to edit a new file. vi
prompts you to set a password, after which it encrypts the content of the
file. Whenever you access this file, vi requests the correct password.
</p><p>
For even more security, you can place the encrypted text file in an
encrypted partition. This is recommended because the encryption used in
vi is not very strong.
</p><a class="indexterm" name="id586302"></a><a class="indexterm" name="id586307"></a></div></div><div class="navfooter"><table width="100%" summary="Navigation footer" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.security.html">Security Guide</a><span class="breadcrumbs-sep"> > </span><a href="part.local_security.html">Local Security</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 10. Access Control Lists in Linux" href="cha.security.acls.html"><span>◀</span></a> <a accesskey="n" title="Chapter 12. Intrusion Detection with AIDE" href="cha.aide.html"><span>▶</span></a></strong></p></div></td></tr></table></div></body></html>
ACC SHELL 2018