Chapter 34. Security in Linux / 34.3. Encrypting Partitions and Files | ||||
|---|---|---|---|---|
 | 34.2. SSH: Secure Network Operations | 34.4. Security and Confidentiality |  | |
Chapter 34. Security in Linux / 34.3. Encrypting Partitions and Files | ||||
|---|---|---|---|---|
| 34.2. SSH: Secure Network Operations | 34.4. Security and Confidentiality | | |
Every user has some confidential data that third parties should not be able to access. The more connected and mobile you are, the more carefully you should handle your data. The encryption of files or entire partitions is recommended if others have access over a network connection or direct physical access. The following list features a number of imaginable usage scenarios.
If you travel with your laptop, it is a good idea to encrypt hard disk partitions containing confidential data. If you lose your laptop or if it is stolen, your data will be out of reach if it resides in an encrypted file system or a single encrypted file.
USB flash drives or external hard disks are as prone to being stolen as laptops. An encrypted file system provides protection against third-party access.
YaST offers the encryption of files or partitions during installation as well as in an already installed system. An encrypted file can be created at any time, because it fits nicely in an existing partition layout. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. The standard partitioning proposal as suggested by YaST does not, by default, include an encrypted partition. Add it manually in the partitioning dialog.
![[Warning]](admon/warning.png) | Password Input |
|---|---|
Observe the warnings about password security when setting the password for encrypted partitions and memorize it well. Without the password, the encrypted data cannot be accessed. | |
The YaST expert dialog for partitioning, described in Section 2.7.5, “Partitioning”, offers the options needed for creating an encrypted partition. Click like when creating a regular partition. In the dialog that opens, enter the partitioning parameters for the new partition, such as the desired formatting and the mount point. Complete the process by clicking . In the following dialog, enter the password twice. The new encrypted partition is created after the partitioning dialog is closed by clicking . While booting, the operating system requests the password before mounting the partition.
If you do not want to mount the encrypted partition during start-up, click Enter when prompted for the password. Then decline the offer to enter the password again. In this case, the encrypted file system is not mounted and the operating system continues booting, blocking access to your data. The partition is available to all users once it has been mounted.
If the encrypted file system should only be mounted when necessary,
enable in the
dialog. The respective
partition will not be mounted when the system is booted.
To make it available afterwards, mount it manually with
mount name_of_partition mount_pointname_of_partition
to protect it from access by other users.
| Activating Encryption in a Running System |
|---|---|
It is also possible to create encrypted partitions on a running system like during installation. However, encrypting an existing partition destroys all data on it. | |
On a running system, select + in the YaST control center. Click to proceed. Instead of selecting as mentioned above, click . The rest of the procedure is the same.
Instead of using a partition, it is possible to create encrypted file systems within single files for holding confidential data. These are created from the same YaST dialog. Select and enter the path to the file to create along with its intended size. Accept the proposed formatting settings and the file system type. Then specify the mount point and decide whether the encrypted file system should be mounted when the system is booted.
The advantage of encrypted files is that they can be added without repartitioning the hard disk. They are mounted with the help of a loop device and behave just like normal partitions.
The disadvantage of using encrypted partitions is that while
the partition is mounted, at least root can access the data.
To prevent this, vi can be used in encrypted mode.
Use vi -x filename to edit a new
file. vi prompts you to set a password, after which it encrypts the content
of the file. Whenever you access this file, vi requests
the correct password.
For even more security, you can place the encrypted text file in an encrypted partition. This is recommended because the encryption used in vi is not very strong.
YaST treats removable media like external hard disks or USB flash drives like any other hard disk. Files or partitions on such media can be encrypted as described above. However, do not select to mount these media when the system is booted, because they are usually only connected while the system is running.
