View previous topic :: View next topic |
Author |
Message |
hjkl Apprentice
Joined: 22 Apr 2021 Posts: 198 Location: Somewhere in Europe
|
Posted: Fri Jul 09, 2021 6:39 pm Post subject: How would I encrypt /home with a seperate physical HDD? |
|
|
Hi,
I want to reinstall Gentoo because I want to encrypt my installation, but I have no idea how I would go about doing it with a seperate /home that is on a different physical HDD?
I was thinking about making 2 LVM mapper's but I'm not sure if that'd be the best way and how'd I go about even decrypting my /home when I boot up my system + my root partition. Would I just have to type in 2 different passwords when booting up to decrypt them?
Thank you. _________________ Having problems compiling since 2021 |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 21706
|
Posted: Fri Jul 09, 2021 7:05 pm Post subject: |
|
|
You could do that, or you could encrypt /home using a key file that is stored, unencrypted, on your root filesystem, which is encrypted. The block level encryption of the root filesystem protects the key. Once you unlock the root filesystem, then /etc/init.d/dmcrypt, or an equivalent, can use the unencrypted key file to unlock /home. As an added safety, you could also assign /home a password that you will remember, so that if you ever need to get into it without the key file, you can. |
|
Back to top |
|
|
hjkl Apprentice
Joined: 22 Apr 2021 Posts: 198 Location: Somewhere in Europe
|
Posted: Fri Jul 09, 2021 7:11 pm Post subject: |
|
|
Hu wrote: | You could do that, or you could encrypt /home using a key file that is stored, unencrypted, on your root filesystem, which is encrypted. The block level encryption of the root filesystem protects the key. Once you unlock the root filesystem, then /etc/init.d/dmcrypt, or an equivalent, can use the unencrypted key file to unlock /home. As an added safety, you could also assign /home a password that you will remember, so that if you ever need to get into it without the key file, you can. |
I think I prefer of having to type my password twice then, although would I set that up the way I described above? (2 lvm mappers) _________________ Having problems compiling since 2021 |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4240 Location: Bavaria
|
Posted: Fri Jul 09, 2021 7:34 pm Post subject: |
|
|
I can recommend fscrypt. You have to type your password only once (with your login). It is unstable in gentoo - but it works fine. I wrote a (german) description; but you only need the commands (and if you want you can use google translator): https://forums.gentoo.org/viewtopic-p-8629644.html#8629644 |
|
Back to top |
|
|
hjkl Apprentice
Joined: 22 Apr 2021 Posts: 198 Location: Somewhere in Europe
|
Posted: Fri Jul 09, 2021 7:45 pm Post subject: |
|
|
pietinger wrote: | I can recommend fscrypt. You have to type your password only once (with your login). It is unstable in gentoo - but it works fine. I wrote a (german) description; but you only need the commands (and if you want you can use google translator): https://forums.gentoo.org/viewtopic-p-8629644.html#8629644 |
I'll check it out, thanks! _________________ Having problems compiling since 2021 |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 21706
|
Posted: Fri Jul 09, 2021 8:12 pm Post subject: |
|
|
hjkl wrote: | I think I prefer of having to type my password twice then, although would I set that up the way I described above? (2 lvm mappers) | Why is typing the password twice better? If the key file is stored on an encrypted filesystem, and only accessible to root, then it is as secure as the data it protects.
Yes, you would create two LUKS devices (one per hard drive), and in each LUKS device, create an LVM PV, and so on down. |
|
Back to top |
|
|
hjkl Apprentice
Joined: 22 Apr 2021 Posts: 198 Location: Somewhere in Europe
|
Posted: Fri Jul 09, 2021 8:17 pm Post subject: |
|
|
Hu wrote: | hjkl wrote: | I think I prefer of having to type my password twice then, although would I set that up the way I described above? (2 lvm mappers) | Why is typing the password twice better? If the key file is stored on an encrypted filesystem, and only accessible to root, then it is as secure as the data it protects.
Yes, you would create two LUKS devices (one per hard drive), and in each LUKS device, create an LVM PV, and so on down. |
I'd do it this way because I have no idea how I'd go about setting it up in the way you told me. _________________ Having problems compiling since 2021 |
|
Back to top |
|
|
rogge Tux's lil' helper
Joined: 13 Oct 2006 Posts: 132 Location: Erfurt
|
|
Back to top |
|
|
wwdev16 n00b
Joined: 29 Aug 2018 Posts: 52
|
Posted: Sat Jul 10, 2021 8:03 am Post subject: |
|
|
An example of what I think Hu is suggesting is: Code: | /dev/sdaN -> luks -> root fs
/dev/sdb -> luks -> home fs
or using lvm on the main disk:
/dev/sda -> luks -> lvm pv -> vg -> lv -> root fs | where the root fs has the binary-key for home fs.
Use dd with /dev/random as the input to create the binary-key for home fs.
Create the luks containers with cryptsetup luksFormat [--key-file <binary-key>] <block-dev>.
Look up cryptsetup open <block-dev> <decrypted-name>. Once opened,
you can use /dev/mapper/<decrypted-name> as a block device to create
file systems on or as a pv for lvm.
Look at /etc/conf.d/dmcrypt, it has an example for "/home with regular keyfile".
/etc/init.d/dmcrypt and /etc/conf.d/dmcrypt are installed by sys-fs/cryptsetup. |
|
Back to top |
|
|
hjkl Apprentice
Joined: 22 Apr 2021 Posts: 198 Location: Somewhere in Europe
|
Posted: Sat Jul 10, 2021 10:55 am Post subject: |
|
|
wwdev16 wrote: | An example of what I think Hu is suggesting is: Code: | /dev/sdaN -> luks -> root fs
/dev/sdb -> luks -> home fs
or using lvm on the main disk:
/dev/sda -> luks -> lvm pv -> vg -> lv -> root fs | where the root fs has the binary-key for home fs.
Use dd with /dev/random as the input to create the binary-key for home fs.
Create the luks containers with cryptsetup luksFormat [--key-file <binary-key>] <block-dev>.
Look up cryptsetup open <block-dev> <decrypted-name>. Once opened,
you can use /dev/mapper/<decrypted-name> as a block device to create
file systems on or as a pv for lvm.
Look at /etc/conf.d/dmcrypt, it has an example for "/home with regular keyfile".
/etc/init.d/dmcrypt and /etc/conf.d/dmcrypt are installed by sys-fs/cryptsetup. |
Thanks, I think I figured it out.
I'll try it out in a virtual machine though. _________________ Having problems compiling since 2021 |
|
Back to top |
|
|
|