| SUSE Linux Documentation Part V. Security / Chapter 47. Encrypting Partitions and Files | ||||
|---|---|---|---|---|
 | 46.11. Using LDAP and Kerberos | 47.2. Using Encrypted Home Directories |  | |
| SUSE Linux Documentation Part V. Security / Chapter 47. Encrypting Partitions and Files | ||||
|---|---|---|---|---|
| 46.11. Using LDAP and Kerberos | 47.2. Using Encrypted Home Directories | | |
Contents
Every user has some confidential data that third parties should not be able to access. The more connected and mobile you are, the more carefully you should handle your data. The encryption of files or entire partitions is recommended if others have access over a network connection or direct physical access. For laptops or removable media, such as external hard disks or USB sticks, that are prone to being lost or stolen, it is also very useful to encrypt partitions (or parts of your file system) that hold confidential data.
There are several ways to protect your data by means of encryption:
You can create an encrypted partition with YaST during installation or in an already installed system. See Section 47.1.1, “Creating an Encrypted Partition during Installation” and Section 47.1.2, “Creating an Encrypted Partition on a Running System” for the details. This option can also be used for removable media, such as external hard disks, as described in Section 47.1.4, “Encrypting the Content of Removable Media”.
You can at any time create an encrypted file on your hard disk or on a removable medium with YaST. The encrypted file can then be used to store other files or folders. For more information, refer to Section 47.1.3, “Creating an Encrypted File as a Container”.
With SUSE Linux Enterprise, you can also create encrypted home directories for users. When the user logs in to the system, the encrypted home directory is mounted and the contents are made available to the user. Refer to Section 47.2, “Using Encrypted Home Directories” for more information.
If you only have a small number of files that hold sensitive or confidential data, you can encrypt them individually and protect them with a password using the vi editor. Refer to Section 47.3, “Using vi to Encrypt Single Files” for more information.
![[Warning]](admon/warning.png) | Encrypted Media Is Limited Protection |
|---|---|
Be aware that with the methods described in this chapter, you cannot protect your running system from being compromised. After the encrypted media is successfully mounted, everybody with appropriate permissions has access to it. However, encrypted media is useful for cases such as loss or theft of your computer or to prevent unauthorized individuals from reading your confidential data. | |
Use YaST to encrypt partitions or parts of your file system during installation or in an already installed system. However, encrypting a partition in an already installed system is more difficult because you have to resize and change existing partitions. In such cases, it may be more convenient to create an encrypted file of a defined size in which to store other files or parts of your file system. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. The standard partitioning proposal as suggested by YaST does not, by default, include an encrypted partition. Add it manually in the partitioning dialog.
| Password Input |
|---|---|
Observe the warnings about password security when setting the password for encrypted partitions and memorize it well. Without the password, the encrypted data cannot be accessed or restored. | |
The YaST expert dialog for partitioning offers the options needed for creating an encrypted partition. To create a new encrypted partition, click . In the dialog that opens, enter the partitioning parameters for the new partition, such as the desired formatting and the mount point. Change the default , if necessary. For example, if the encrypted file system should only be mounted when necessary, enable so it is not mounted as part of the boot process. Complete the process by clicking . In the following dialog, enter the password twice. The new encrypted partition is created after the partitioning dialog is closed by clicking .
Unless set not to mount during boot, the operating system requests the password while booting before mounting the partition. The partition is available to all users once it has been mounted.
To skip mounting the encrypted partition during start-up occasionally, click Enter when prompted for the password. Then decline the offer to enter the password again. In this case, the encrypted file system is not mounted and the operating system continues booting, blocking access to your data.
To access an encrypted partition that is not mounted during boot, mount the partition manually by entering mount
.
Enter the password when prompted to do so. After finishing your work
with the partition, unmount it with
umount name_of_partition mount_pointname_of_partition
to protect it from access by other users.
When you are installing your system on a machine where several partitions already exist, you can also decide to encrypt an existing partition during installation. In this case follow the description in Section 47.1.2, “Creating an Encrypted Partition on a Running System” and be aware that this action destroys all data on the existing partition to encrypt.
| Activating Encryption in a Running System |
|---|---|
It is also possible to create encrypted partitions on a running system. However, encrypting an existing partition destroys all data on it and requires resize and restructuring of existing partitions. | |
On a running system, select + in the YaST control center. Click to proceed. In the , select the partition to encrypt and click . The rest of the procedure is the same as in Section 47.1.1, “Creating an Encrypted Partition during Installation”.
Instead of using a partition, it is possible to create an encrypted file of a certain size that can then hold other files or folders containing confidential data. Such container files are created from the same YaST dialog. Select and enter the path to the file to create along with its intended size. Accept the proposed formatting settings and the file system type. Then specify the mount point and decide whether the encrypted file system should be mounted when the system is booted.
The advantage of encrypted container files is that they can be added without repartitioning the hard disk. They are mounted with the help of a loop device and behave just like normal partitions.
YaST treats removable media like external hard disks or USB flash drives the same as any other hard disk. Container files or partitions on such media can be encrypted as described above. However, enable in the dialog, because removable media are usually only connected while the system is running.
If you have encrypted your removable device with LUKS (Linux Unified
Key Setup)—which is the default for SUSE Linux Enterprise SP1—
the KDE and GNOME desktops automatically recognize this and prompt for
the password when the device is detected. If you have formatted your
removable medium with a FAT file system, the user logged in to the
desktop that enters the password for decryption automatically becomes
the owner of the device and can read and write files there. For devices
with a file system other than FAT, change the ownership explicitly for
users other than root to read or write files on the
device.
