You are not logged in.

#1 2012-09-15 17:05:43

csolisr
Member
From: Costa Rica
Registered: 2012-06-10
Posts: 22
Website

A single encrypted user account along an unencrypted guest account?

I've been using Arch for about a year (the first six months as Parabola). My current setup uses a partition for /home and a single user (that I'll call /home/admin for the purposes of this post). I'm interested in encrypting my operative system, but since I'm not the only user of my computer, that would bring some problems. If I encrypt the whole partition, guest users (like my family) would require me to give them the password, pretty much defeating the purpose of encrypting the partition. That could be solved by using a guest account, but I haven't found how to encrypt a single account of a partition, so now I would have two unencrypted accounts. What I intend to do is to keep my current partition with two accounts: one, encrypted, for the administrator, and another one, unencrypted and without a password, for the guests (something like what Ubuntu does on its latest versions). Is it possible? Does it require wiping the current /home partition? (If it does, that would put me in a dead end, because I can't back my partition up.) Does it require to create extra partitions? And if it does, how do I have to configure the bootloader?

Offline

#2 2012-09-15 21:00:58

Pres
Member
Registered: 2011-09-12
Posts: 423

Re: A single encrypted user account along an unencrypted guest account?

I have a setup like this on my netbook (to lure any thief into using it so I can track them with prey). My main account is on an encrypted home, and I just set my guest account to use /guest as it's home directory. `man useradd` on how to do this.

Offline

#3 2012-09-15 23:12:22

csolisr
Member
From: Costa Rica
Registered: 2012-06-10
Posts: 22
Website

Re: A single encrypted user account along an unencrypted guest account?

@Pres:

Okay, let's see if I got my manual right.

useradd -U -m -d /guest guest

would make a new user named "guest", with no password, but I'd need to guess which groups the guest would be required to join and add them manually. Is that right? Also, how to encrypt a partition on-the-spot?

Offline

#4 2012-09-16 00:24:48

Pres
Member
Registered: 2011-09-12
Posts: 423

Re: A single encrypted user account along an unencrypted guest account?

You can't encrypt a partition on the spot as far as I know. You'll need to copy the data to another place and then encrypt and copy the data back. It's best to first prep the partition by writing random data over it (both to cover whatever data you had on there and also to make it harder to analyze, since encrypted data will be indistinguishable from random data). This will get you started:
https://wiki.archlinux.org/index.php/LUKS

You'll probably also want to look into pam_mount:
https://wiki.archlinux.org/index.php/Pam_mount

I believe I had to add a password for the guest account with pam_mount. Otherwise it would ask for the encryption passphrase when logging in for some reason. I just set it to "guest" and echoed that in /etc/issue so any user would know the password.

Offline

#5 2012-09-16 01:01:46

csolisr
Member
From: Costa Rica
Registered: 2012-06-10
Posts: 22
Website

Re: A single encrypted user account along an unencrypted guest account?

You'll need to copy the data to another place and then encrypt and copy the data back. It's best to first prep the partition by writing random data over it

Something more or less easy, if I ever get an external HDD. Currently my /home partition is filled well over the 50%, so I can't just shrink to make a temporary partition, fill with random data, format, move data between partitions, delete the old partition, fill with more random data, and expand the encrypted partition (if that could be done without issues, that is).

I believe I had to add a password for the guest account with pam_mount. Otherwise it would ask for the encryption passphrase when logging in for some reason. I just set it to "guest" and echoed that in /etc/issue so any user would know the password.

Now we're having issues. My computer, as it's working right now, logs in directly without a password. If I had to tell my mom that now she needs to log to this account and enter this password (something hard for her, since she's not that good at typing), suspicions would surely arise. (Not that I'm doing anything weird or illegal - just wanting my data to be safer.)

Offline

#6 2012-09-16 01:27:08

Pres
Member
Registered: 2011-09-12
Posts: 423

Re: A single encrypted user account along an unencrypted guest account?

If this system is set up to automatically log in to a shared account, then encrypting the entire home directory is not what you want. It's not possible to (securely) encrypt your partition and still have it automatically log in. If it's just your data you are worried about, then look into a Truecrypt volume or creating another encrypted partition where your own data resides. You can then just mount this partition or the Truecrypt volume when you want to access your data.

Offline

#7 2012-09-16 12:57:54

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,277

Re: A single encrypted user account along an unencrypted guest account?

An alternative to truecrypt also is ecryptfs, which is supported by the kernel like Luks/dm-crypt and GPL. It is the method Ubuntu uses (which you quote in your OP). Have a look at: https://wiki.archlinux.org/index.php/Di … ison_table

ecryptfs enables you to have an encrypted home directory per-user (i.e. one user can use it, the other not). A pretty comprehensive introduction on it you find here: http://www.linux-mag.com/id/7568/
Then of course: https://wiki.archlinux.org/index.php/ECryptfs

Being short on diskspace always is problematic when setting up something like that. Maybe try it out with a new user.

edit: typo

Last edited by Strike0 (2012-09-16 15:59:33)

Offline

Board footer

Powered by FluxBB