Contents
Most users have some confidential data on their computer that third parties should not be able to access. The more you rely on mobile computing and on working in different environments and networks, the more carefully you should handle your data. The encryption of files or entire partitions is recommended if others have network or physical access to your system. Laptops or removable media, such as external hard disks or USB sticks, are prone to being lost or stolen. Thus, it is recommended to encrypt the parts of your filesystem that hold confidential data.
There are several ways to protect your data by means of encryption:
- Encrypting a Hard Disk Partition
You can create an encrypted partition with YaST during installation or in an already installed system. Refer to Section 11.1.1, “Creating an Encrypted Partition during Installation” and Section 11.1.2, “Creating an Encrypted Partition on a Running System” for details. This option can also be used for removable media, such as external hard disks, as described in Section 11.1.4, “Encrypting the Content of Removable Media”.
- Creating an Encrypted File as Container
You can create an encrypted file on your hard disk or on a removable medium with YaST at any time. The encrypted file can then be used to store other files or folders. For more information, refer to Section 11.1.3, “Creating an Encrypted File as a Container”.
- Encrypting Home Directories
With openSUSE, you can also create encrypted user home directories. When the user logs in to the system, the encrypted home directory is mounted and the contents are made available to the user. Refer to Section 11.2, “Using Encrypted Home Directories” for more information.
- Encrypting Single ASCII Text Files
If you only have a small number of ASCII text files that hold sensitive or confidential data, you can encrypt them individually and protect them with a password using Kgpg or the vi editor. Refer to Section “The KGpg Editor” (Chapter 7, Encryption with KGpg, ↑Application Guide) and Section 11.3, “Using vi to Encrypt Single ASCII Text Files” for more information.
![[Warning]](admon/warning.png) | Encrypted Media Offers Limited Protection |
|---|---|
The methods described in this chapter offer only a limited protection. You cannot protect your running system from being compromised. After the encrypted medium is successfully mounted, everybody with appropriate permissions has access to it. However, encrypted media are useful in case of loss or theft of your computer, or to prevent unauthorized individuals from reading your confidential data. | |
Use YaST to encrypt partitions or parts of your file system during installation or in an already installed system. However, encrypting a partition in an already-installed system is more difficult, because you have to resize and change existing partitions. In such cases, it may be more convenient to create an encrypted file of a defined region, in which to store other files or parts of your file system. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. The standard partitioning proposal as suggested by YaST, does not include an encrypted partition by default. Add it manually in the partitioning dialog.
| Password Input |
|---|---|
Make sure to memorize the password for your encrypted partitions well. Without that password, you cannot access or restore the encrypted data. | |
The YaST expert dialog for partitioning offers the options needed for creating an encrypted partition. To create a new encrypted partition proceed as follows:
Run the YaST Expert Partitioner with ++.
Select a harddisk, click , and select a primary or an extended partition.
Select the partition size or the region to use on the disk.
Select the file system, and mount point of this partition.
Activate the check box.
![[Note]](admon/note.png)
Additional Software Required After checking , a popup window asking for installing additional software may appear. Confirm to install all the required packages to ensure that the encrypted partition works well.
Click and enter a password which is used to encrypt this partition. This password is not displayed. To prevent typing errors, you need to enter the password twice.
Complete the process by clicking . The newly-encrypted partition is now created.
When you need to mount an encrypted partition, open your file manager and click on the partition entry in the pane listing common places on your filesystem. You will be prompted for a password and the partition will be mounted.
When you are installing your system on a machine where partitions already exist, you can also decide to encrypt an existing partition during installation. In this case follow the description in Section 11.1.2, “Creating an Encrypted Partition on a Running System” and be aware that this action destroys all data on the existing partition.
| Activating Encryption on a Running System |
|---|---|
It is also possible to create encrypted partitions on a running system. However, encrypting an existing partition destroys all data on it, and requires resizing and restructuring of existing partitions. | |
On a running system, select + in the YaST Control Center. Click to proceed. In the , select the partition to encrypt and click . The rest of the procedure is the same as described in Section 11.1.1, “Creating an Encrypted Partition during Installation”.
Instead of using a partition, it is possible to create an encrypted file, which can hold other files or folders containing confidential data. Such container files are created from the YaST Expert Partitioner dialog. Select + and enter the full path to the file and its size. If YaST should create the container file, activate the checkbox . Accept or change the proposed formatting settings and the file system type. Specify the mount point and make sure that is checked.
Click , enter your password for decrypting the file, and confirm with .
The advantage of encrypted container files over encrypted partitions is that they can be added without repartitioning the hard disk. They are mounted with the help of a loop device and behave just like normal partitions.
YaST treats removable media (like external hard disks or USB flash drives) the same as any other hard disk. Container files or partitions on such media can be encrypted as described above. Do not, however, enable mounting at boot time, because removable media are usually only connected while the system is running.
If you encrypted your removable device with YaST, the KDE and GNOME
desktops automatically recognize the encrypted partition and prompt for
the password when the device is detected. If you plug in a FAT formatted
removable device while running KDE or GNOME, the desktop user entering
the password automatically becomes the owner of the device and can read
and write files. For devices with a file system other than FAT, change
the ownership explicitly for users other than root to enable these
users to read or write files on the device.
To protect data in home directories from being stolen and consequent unauthorized access, use the YaST user management module to enable encryption of home directories. You can create encrypted home directories for new or existing users. To encrypt or decrypt home directories of already existing users, you need to know their login password. See Abschnitt „Verwalten verschlüsselter Home-Verzeichnisse“ (Kapitel 8, Verwalten von Benutzern mit YaST, ↑Referenz) for instructions.
Encrypted home partitions are created within a file container as
described in Section 11.1.3, “Creating an Encrypted File as a Container”. Two
files are created under /home for each encrypted
home directory:
LOGIN.imgThe image holding the directory
LOGIN.keyThe image key, protected with the user's login password.
On login, the home directory automatically gets decrypted. Internally, it
works through the pam module called pam_mount. If
you need to add an additional login method that provides encrypted home
directories, you have to add this module to the respective configuration
file in /etc/pam.d/. For more information see also
Chapter 2, Authentication with PAM and the man page of pam_mount.
| Security Restrictions |
|---|---|
Encrypting a user's home directory does not provide strong security from other users. If strong security is required, the system should not be shared physically.
To enhance security, also encrypt the | |
The disadvantage of using encrypted partitions is obvious: While the
partition is mounted, at least
root can access the data. To
prevent this, vi can be used in encrypted mode.
Use vi -x
filename to edit a new file. vi
prompts you to set a password, after which it encrypts the content of the
file. Whenever you access this file, vi requests the correct password.
For even more security, you can place the encrypted text file in an encrypted partition. This is recommended because the encryption used in vi is not very strong.