Encrypting Partitions and Files

Contents

31.1. Setting Up an Encrypted File System with YaST
31.2. Using Encrypted Home Directories
31.3. Using vi to Encrypt Single ASCII Text Files

Every user has some confidential data that third parties should not be able to access. The more you rely on mobile computing and on working in different environments and networks, the more carefully you should handle your data. The encryption of files or entire partitions is recommended if others have network or physical access to your system. Laptops or removable media, such as external hard disks or USB sticks, are prone to being lost or stolen. Thus, it is recommended to encrypt the parts of your file that hold confidential data.

There are several ways to protect your data by means of encryption:

Encrypting a Hard Disk Partition

You can create an encrypted partition with YaST during installation or in an already installed system. Refer to Section 31.1.1, “Creating an Encrypted Partition during Installation” and Section 31.1.2, “Creating an Encrypted Partition on a Running System” for details. This option can also be used for removable media, such as external hard disks, as described in Section 31.1.4, “Encrypting the Content of Removable Media”.

Creating an Encrypted File as Container

You can create an encrypted file on your hard disk or on a removable medium with YaST at any time. The encrypted file can then be used to store other files or folders. For more information, refer to Section 31.1.3, “Creating an Encrypted File as a Container”.

Encrypting Home Directories

With openSUSE, you can also create encrypted home directories for users. When the user logs in to the system, the encrypted home directory is mounted and the contents are made available to the user. Refer to Section 31.2, “Using Encrypted Home Directories” for more information.

Encrypting Single ASCII Text Files

If you only have a small number of ASCII text files that hold sensitive or confidential data, you can encrypt them individually and protect them with a password using the vi editor. Refer to Section 31.3, “Using vi to Encrypt Single ASCII Text Files” for more information.

[Warning]Encrypted Media Offers Limited Protection

The methods described in this chapter offer only limited protection. You cannot protect your running system from being compromised. After the encrypted medium is successfully mounted, everybody with appropriate permissions has access to it. However, encrypted media are useful in case of loss or theft of your computer or to prevent unauthorized individuals from reading your confidential data.

Setting Up an Encrypted File System with YaST

Use YaST to encrypt partitions or parts of your file system during installation or in an already installed system. However, encrypting a partition in an already installed system is more difficult, because you have to resize and change existing partitions. In such cases, it may be more convenient to create an encrypted file of a defined size in which to store other files or parts of your file system. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. The standard partitioning proposal as suggested by YaST, does not include an encrypted partition, by default. Add it manually in the partitioning dialog.

Creating an Encrypted Partition during Installation

[Warning]Password Input

Make sure to memorize the password for your encrypted partitions well. Without that password you cannot access or restore the encrypted data.

The YaST expert dialog for partitioning offers the options needed for creating an encrypted partition. To create a new encrypted partition proceed as follows:

  1. Run the YaST Partitioner from the YaST Control Center with System+Partitioner

  2. Click Create and select a primary or a logical partition.

  3. Select the desired file system, size and mount point of this partition.

  4. If the encrypted file system should only be mounted when necessary, enable Do Not Mount at System Start-up in the Fstab Options.

  5. Activate the Encrypt file system check box.

  6. Click OK. You will be prompted for a password that is used to encrypt this partition. This password is not displayed. To prevent typing errors, enter the password twice.

  7. Complete the process by clicking OK. The new encrypted partition is now created.

Unless Do Not Mount at System Start-up was selected, the operating system requests the password while booting before mounting the partition. The partition is available to all users once it has been mounted.

To skip mounting the encrypted partition during start-up, click Enter when prompted for the password. Then decline the offer to enter the password again. In this case, the encrypted file system is not mounted and the operating system continues booting, blocking access to your data.

To access an encrypted partition that is not mounted during boot, mount the partition manually by entering mount  name_of_partition mount_point. Enter the password when prompted for it. After you are done with working on this partition, unmount it with umount name_of_partition to protect it from access by other users.

When you are installing your system on a machine where several partitions already exist, you can also decide to encrypt an existing partition during installation. In this case follow the description in Section 31.1.2, “Creating an Encrypted Partition on a Running System” and be aware that this action destroys all data on the existing partition to encrypt.

Creating an Encrypted Partition on a Running System

[Warning]Activating Encryption in a Running System

It is also possible to create encrypted partitions on a running system. However, encrypting an existing partition destroys all data on it and requires resizing and restructuring of existing partitions.

On a running system, select System+Partitioning in the YaST Control Center. Click Yes to proceed. In the Expert Partitioner, select the partition to encrypt and click Edit. The rest of the procedure is the same as described in Section 31.1.1, “Creating an Encrypted Partition during Installation”.

Creating an Encrypted File as a Container

Instead of using a partition, it is possible to create an encrypted file of a certain size that can then hold other files or folders containing confidential data. Such container files are created from the YaST Expert Partitioner dialog. Select Crypt File and enter the full path to the file and its size. Accept or change the proposed formatting settings and the file system type. Specify the mount point and decide whether the encrypted file system should be mounted at system boot.

The advantage of encrypted container files over encrypted partitions is that they can be added without repartitioning the hard disk. They are mounted with the help of a loop device and behave just like normal partitions.

Encrypting the Content of Removable Media

YaST treats removable media like external hard disks or USB flash drives the same as any other hard disk. Container files or partitions on such media can be encrypted as described above. However, enable Do Not Mount During Booting in the Fstab Options dialog, because removable media are usually only connected while the system is running.

If you have encrypted your removable device with YaST, the KDE and GNOME desktops automatically recognize the encrypted partition and prompt for the password when the device is detected. If you plug in a FAT formatted removable device while running KDE or GNOME, the desktop user entering the password automatically becomes the owner of the device and can read and write files. For devices with a file system other than FAT, change the ownership explicitly for users other than root to enable these users to read or write files on the device.