Encryption on /home and /swap

BåGan · 2008-12-29 21:30:33

Hello everyone!

I'm soon converting to the Linux world from Vista fulltime. And to prep myself for future disasters I'm writing step-by-step doc from /arch/setup to fully functional OS so that I wont have to rely on having another pc with internett access if something goes wrong and if I ever need to reinstall Arch. And over to my question:

I've read LUKS wiki about system encryption, but I really dont see the need to encrypt the root. Either I'm blind or it isnt metioned how to encrypt only /home and how this will work in practise(how will the /home be mounted? On login or a password phrase on the bootup?)? I guess I can follow the wiki on the swap?

Thanks for all the help in advance

Odd-rationale · 2008-12-29 22:08:15

I believe that it will be mounted by using the passphrase/file given in /etc/crypttab

cameron122000 · 2008-12-29 22:14:50

Encryption is only useful if you don't mount the filesystem on boot. In order for the point of encryption to work, you need to manually mount it so that if somebody were to gain access to your computer, they would have to know the password in order to mount the partition to see the contents.

arch0r · 2008-12-29 22:15:04

imho it makes no sense only to encrypt home because the password is saved in /etc/crypttab which is on anoterh partition (u can also use a key eg a usb stick for decryption)

Last edited by arch0r (2008-12-29 22:16:04)

sirius · 2008-12-29 23:20:13

I use pam_mount to luksOpen and mount the LUKS partition over my /home/$USER on login, and unmount and luksClose when I log out. I've set my login password equal to my encryption password, however, so it's not as secure as having different passwords for login and LUKS, but it works well for me. You may use different passwords, but then you'll have to patch XDM/KDM/GDM (I think) - works in vc, though.

A different solution is to not store the password in /etc/crypttab, only partition and mountpoint. Upon boot you'll have to enter a password to decrypt and mount the partition, or not entering the passord and continue booting without decrypting and mounting.

kludge · 2008-12-29 23:24:19

cameron122000 wrote:

Encryption is only useful if you don't mount the filesystem on boot. In order for the point of encryption to work, you need to manually mount it so that if somebody were to gain access to your computer, they would have to know the password in order to mount the partition to see the contents.

not necessarily, as you can set crypttab to 'ASK' for a passphrase at boot. it's right there in the /etc/crypttab file. that's for mounting at boot time.

that said, i'm pretty sure the wiki page on system encryption includes some instructions for setting up non-root encrypted partitions and /etc/crypttab. and if it isn't in the archwiki, there are quite a few threads on this forum about it. and failing that, i know i found lots of good info with google when i first set-up my system.

BaGan: use the goog, and may the goog be with you!

Last edited by kludge (2008-12-29 23:28:30)

Arch Linux

#1 2008-12-29 21:30:33

Encryption on /home and /swap

#2 2008-12-29 22:08:15

Re: Encryption on /home and /swap

#3 2008-12-29 22:14:50

Re: Encryption on /home and /swap

#4 2008-12-29 22:15:04

Re: Encryption on /home and /swap

#5 2008-12-29 23:20:13

Re: Encryption on /home and /swap

#6 2008-12-29 23:24:19

Re: Encryption on /home and /swap

Board footer