How can I encrypt the /home folder?

If you are new to Linux or new to Sabayon Linux and just not sure where to post, here ya go. Post without fear of being told to RTFM :-)

Moderator: Moderators

How can I encrypt the /home folder?

Postby unkn-error » Tue May 08, 2012 19:40

I am planning to reinstall the system, but this time I really wish to use encryption. :roll:

As I understand I have these alternatives:

1) Encrypt the all partition " / " but not "/boot" at the installation time.

Or

2) Encrypt the /home folder after install.

I believe that encrypting the all "/" partition will gonna take some cpu power making the system a little slower, and I will have to input the partition password at boot time each time the system is staring up which I find very annoying and fustrating, and I guess that I will run into problems if I will wish to access the encrypted partition from windows.

Meanwhile I guess, that encrypting only the /home folder will be enough as the system will work at the same speed when installing updates or compiling for example, and I guess that If I will encrypt only the /home folder then there will be no need to input the encryption password every time the system is rebooted.

If I am wrong please correct me.

Also, I am curious what is the defalut encryption algorithm (aes, twofish, serpent)
and the hash algorithm (sha-512/whirlpool)
used for " / " at the install time or when encrypting /home folder after install?

Related to this I am also curious how is the root password stored/encrypted in Sabayon-Linux, as I remember that when I installed OpenSuse I had to answer to a question on how I wish to store my password and If I remember well it graved me some options like md5, sha.

Thank you very very much in advance for your kindness and answering my long question's and helping me out setting up the system.

P.s. I am not interested to encrypt swap
unkn-error
Baby Hen
 
Posts: 16
Joined: Tue Apr 03, 2012 19:03

Re: How can I encrypt the /home folder?

Postby cl00t » Tue May 08, 2012 21:22

You can encrypt your home dir with ecryptfs but good luck in getting it to work on sabayon. I couldn't.
The gentoo wiki gives a guide on this which I followed verbatim to no avail. I have done this on debian systems a few times easily.

If you're reinstalling just check the option to use encrytion during setup. I use LVM & my home / swap / root partitions are encrypted. I can't see any slowdown at all.
Yes you will have to enter a boot passphrase of course, you need to authenticate before the system boots, I tend to start once a day so I don't find it an inconvenience at all.

If you want you can install ecryptfs & set up an encrypted private dir in home & just put all sensitive info in that. That way you won't have to bother with pam_mount & getting that to work (see gentoo wiki described earlier).
Not sure if you can set your email to use the private dir though depending in the client you use. You can choose the algorithm used with ecrypfs, the default being AES.

Or you can just use truecrypt & have an encrypted container for sensitive info, or a hidden encrypted partition.

You have a few choices.

Personally I would encrypt root / home / swap & have a strong boot passphrase.
cl00t
Growing Hen
 
Posts: 168
Joined: Thu Jan 12, 2012 15:29

Re: How can I encrypt the /home folder?

Postby unkn-error » Wed May 09, 2012 4:11

I tooked a look and asked here and there, but I quit to the Ideea to have only /home encrypted being such a hard an terrible work to set it up, so I reinstalled with all "/" and "swap" encrypted.

Maybe there is a way to bypass the "asked password" at the boot time as I encrypted the paritions for the scenario that someone will l take the hdd out and try some data recovery software on it.
unkn-error
Baby Hen
 
Posts: 16
Joined: Tue Apr 03, 2012 19:03

Re: How can I encrypt the /home folder?

Postby cl00t » Wed May 09, 2012 17:14

No, you need to authenticate before the system starts, otherwise there wouldn't be much point in using encryption. If you can bypass it. so can an attacker. If you're worried about someone removing the disk & running file recovery software on it, you've made the right choice IMHO by using luks as you shouldn't have to worry about what is in swap & don;t need to worry about files outside of home, or deleted & recoverable files.
cl00t
Growing Hen
 
Posts: 168
Joined: Thu Jan 12, 2012 15:29

Re: How can I encrypt the /home folder?

Postby unkn-error » Wed May 09, 2012 18:15

I really "feel" no difference of performance or lags/delays but

In case that someone else is wondering abut performance like me and dosen't have time to bech,

With this occasion I did a benchmark to see the difference.

But please keep in mind that when the system was NOT ecrypted It was on /dev/sda2 that is in the front of the hardisk, and the encrypted system is in /dev/sda6 and that is somewhere in the middle of the hardisk. If that matters a liitle.

This is the score before using encryption:


unknown error # uname -a
Linux unknown 3.2.0-sabayon #1 SMP Thu Jan 26 15:03:47 UTC 2012 i686 Intel(R) Core(TM)2 Duo CPU T5450 @ 1.66GHz GenuineIntel GNU/Linux
unknown error # free -m
total used free shared buffers cached
Mem: 2019 770 1248 0 46 377
-/+ buffers/cache: 346 1672
Swap: 2047 0 2047
unknown error # bashmark
#######################################################
: T E S T : :S C O R E : : R A T I O:
:-----------------------------------------------------:
:Cpu, Integer : : 4022: : +275%:
:Cpu, Floating point : : 92: : -88%:
: : : : : :
:Memory r/w (cached) : : 3180: : +164%:
:Memory de-/alloc : : 930: : +42%:
: : : : : :
:Multithreading : : 2667: : +7%:
#######################################################
: S Y S T E M I N F O :
-------------------------------------------------------
1x Intel(R) Core(TM)2 Duo T5450 @ 1000.000MHz, L2 2048KB
1x Intel(R) Core(TM)2 Duo T5450 @ 1667.000MHz, L2 2048KB
Linux 3.2.0-sabayon
GCC 4.4.0
92KB binary size
#######################################################
: R E F E R E N C E S Y S T E M I N F O :
-------------------------------------------------------
Reference system was Geno's pc with:
Athlon XP 1800+ 1575.631MHz, 256KB
Linux 2.6.11-ck1
GCC 3.4.3-20050110 (compiled with standard cflags)
glibc 2.3.4 (with nptl)
128KB binary size
Scores gathered on March, 30th. 2005 with bashmark 0.6
unknown error #
______________________________________________________________________________

This is the score after using encryption:


[email protected] ~ $ su
Password:
unknown error # uname -a
Linux unknown 3.2.0-sabayon #1 SMP Thu Jan 26 15:03:47 UTC 2012 i686 Intel(R) Core(TM)2 Duo CPU T5450 @ 1.66GHz GenuineIntel GNU/Linux
unknown error # free -m
total used free shared buffers cached
Mem: 2019 857 1161 0 44 481
-/+ buffers/cache: 331 1687
Swap: 2045 0 2045
unknown error # bashmark
#######################################################
: T E S T : :S C O R E : : R A T I O:
:-----------------------------------------------------:
:Cpu, Integer : : 4009: : +274%:
:Cpu, Floating point : : 92: : -88%:
: : : : : :
:Memory r/w (cached) : : 3174: : +164%:
:Memory de-/alloc : : 920: : +41%:
: : : : : :
:Multithreading : : 1033: : -59%:
#######################################################
: S Y S T E M I N F O :
-------------------------------------------------------
2x Intel(R) Core(TM)2 Duo T5450 @ 1000.000MHz, L2 2048KB
Linux 3.2.0-sabayon
GCC 4.4.0
92KB binary size
#######################################################
: R E F E R E N C E S Y S T E M I N F O :
-------------------------------------------------------
Reference system was Geno's pc with:
Athlon XP 1800+ 1575.631MHz, 256KB
Linux 2.6.11-ck1
GCC 3.4.3-20050110 (compiled with standard cflags)
glibc 2.3.4 (with nptl)
128KB binary size
Scores gathered on March, 30th. 2005 with bashmark 0.6
unknown error #
unkn-error
Baby Hen
 
Posts: 16
Joined: Tue Apr 03, 2012 19:03


Return to Beginners|Newbies Area

Who is online

Users browsing this forum: No registered users and 1 guest