Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Creating a separate encrypted /home partition?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
saturnalia0
Apprentice
Apprentice


Joined: 13 Oct 2016
Posts: 158

PostPosted: Fri Aug 30, 2024 11:04 pm    Post subject: [SOLVED] Creating a separate encrypted /home partition? Reply with quote

Given recent events in my country, I believe it to be in my best interest to have my devices encrypted. My first instinct was to go with FDE, but AFAIK that would require a fresh install and has its own set of pitfalls. So I'm thinking about creating a separate partition for my /home and have only that encrypted. Maybe it's not the best, and I accept any comments on that, but I think it would fit my threat model of having things like the browser folder encrypted when I turn off my device. That being said, I found the following wiki page:

https://wiki.gentoo.org/wiki/Encrypt_a_home_directory_with_ECryptfs

As far as I understand, this does not create a new encrypted partition for /home, rather, it just creates an encrypted mount point. Which may be fine, but I wonder if a separate partition wouldn't be better? In the sense that things are then truly isolated. Sorry but I'm a bit of a noob when it comes to anything but file-level encryption. Any guidance is appreciated.


Last edited by saturnalia0 on Mon Sep 23, 2024 2:25 pm; edited 1 time in total
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5094
Location: Bavaria

PostPosted: Sat Aug 31, 2024 1:40 am    Post subject: Reply with quote

Maybe read this thread
https://forums.gentoo.org/viewtopic-t-1169021.html

I am using fscrypt as mentionend in my post there. fscrypt also has the great advantage that it comes with a pam_fscrypt.so, which ensures that the /home directory (or every directory you want = you have encrypted) is also unlocked at the same time as the login (so you don't need two logins/password inputs).
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
saturnalia0
Apprentice
Apprentice


Joined: 13 Oct 2016
Posts: 158

PostPosted: Sat Aug 31, 2024 1:45 am    Post subject: Reply with quote

Thanks, I'll review that. I actually suggested some file-level encryption there myself, but I didn't remember the thread. I'll review your suggestion
Back to top
View user's profile Send private message
arran4
n00b
n00b


Joined: 19 Sep 2003
Posts: 13
Location: Melbourne, Australia

PostPosted: Sat Aug 31, 2024 2:15 am    Post subject: Reply with quote

There seems to be work on per-file / folder encryption going, I was watching https://www.youtube.com/watch?v=6YIc2fVLVPU talk about it. I believe homed can do this on btrfs (using fscrypt.)
Back to top
View user's profile Send private message
mega_flow
Tux's lil' helper
Tux's lil' helper


Joined: 26 Jun 2016
Posts: 95
Location: Belgium

PostPosted: Sat Aug 31, 2024 9:12 am    Post subject: Reply with quote

Or Systemd homeD . that 1 can encrypt too .Using for more ten a year now and work fine for me
_________________
default/linux/amd64/23.0/no-multilib/gnome/systemd gnome:46
Back to top
View user's profile Send private message
lars_the_bear
Guru
Guru


Joined: 05 Jun 2024
Posts: 517

PostPosted: Sun Sep 01, 2024 9:42 am    Post subject: Reply with quote

I'm a long-term user of ecryptfs and, while I'm aware of problems with it, it's hugely convenient.

In my view, anything short of whole-disk encryption of all storage devices runs the risk of a false sense of security. You need to keep track of every place that sensitive content might be written, and ensure that's in an encrypted container of some sort. Many applications write temporary and working files in all sorts of places -- /tmp, hidden directories under $HOME, and so on. And, if you're really paranoid, you need to wonder about what's going into the swap partition, if you have one.

I believe that all forms of per-directory or per-partition encryption are quite weak. But they're strong enough for the threats I believe I face in my personal use of a computer. For business I always use whole-disk encryption. I'd do the same for my home computers, if I felt that I was genuinely exposed to governmental or military threats.

BR, Lars.
Back to top
View user's profile Send private message
saturnalia0
Apprentice
Apprentice


Joined: 13 Oct 2016
Posts: 158

PostPosted: Sun Sep 01, 2024 11:31 am    Post subject: Reply with quote

So, my understanding is fscrypt is file-level encryption using the crypto support from the kernel.

This section from Arch wiki on fscrypt seems insightful:

Quote:

Alternatives [to fscrypt] to consider

To protect an entire file system with one password, block device encryption with dm-crypt (LUKS) is generally a better option, as it ensures that all files on the file system are encrypted, and also that all file system metadata is encrypted. fscrypt is most useful to encrypt specific directories, or to enable different encrypted directories to be unlockable independently—for example, per-user encrypted home directories.

Compared to eCryptfs, the Linux native file encryption controlled by fscrypt does not use file system stacking, which makes it more memory-efficient. It also uses more up-to-date cryptography and does not require root privileges to set up, which avoids the need for setuid binaries. eCryptfs is also no longer being actively developed, and its largest users (Ubuntu and Chrome OS) have migrated to other solutions.


This comparison to eCryptfs, which I originally considered, is very much relevant.

Since I want to encrypt the entire /home (so not per-user), maybe dm-crypt would be a better alternative to fscrypt? Seems like I could apply my original plan of creating a new encrypted /home partition, copying my files there, then shredding the originals. I.e. use dm-crypt for block device level encryption on that partition (but not the whole disk, i.e. not FDE). This seems to be exactly the scenario covered here:

https://wiki.archlinux.org/title/Dm-crypt/Encrypting_a_non-root_file_system#Partition

I think this is the way to go for me, with pam_mount to decrypt at login.
Back to top
View user's profile Send private message
simplycorbett
n00b
n00b


Joined: 14 Mar 2024
Posts: 27

PostPosted: Thu Sep 12, 2024 6:06 pm    Post subject: Reply with quote

I would personally just encrypt the entire drive or at least the / partition with /home.

If you want to encrypt just /home, my recommendation:

1) create a separate /home partition on a LUKS encrypted device
2) on boot when you get to the login screen change your terminal/monitor tty so you get a text session. Login as root (not the user and make sure root can be logged into).
3) unlock the encrypted home partition and mount it. Logout.
4) change your tty back to the login screen and proceed to login as normal.

You're done.

If you don't care about encrypting /boot, you can encrypted / as well. GRUB is able to unlock it. Make sure you make changes to your use flags so the system builds with support for this.

If you also want to encrypt /boot and the swap partition, it's a bit more complicated.
Back to top
View user's profile Send private message
simplycorbett
n00b
n00b


Joined: 14 Mar 2024
Posts: 27

PostPosted: Thu Sep 12, 2024 6:11 pm    Post subject: Reply with quote

As a side note if you boot up a livecd you can backup the entire home directory with this:
Code:

cd /mnt/gentoo/home
tar -cvpzf backup.tar.gz --exclude=backup.tar.gz --one-file-system .
move file off partition


Once you recreate the home partition in luks and mount it, do the following:

Code:
cd /mnt/gentoo/home
move file back
sudo tar -xvpzf backup.tar.gz -C . --numeric-owner


you're done.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22619

PostPosted: Thu Sep 12, 2024 6:46 pm    Post subject: Reply with quote

Rather than create the file on the partition and then move it, why not create it where you want it to be? Likewise, there is no need to move the tar file back onto the encrypted partition before unpacking it.
Back to top
View user's profile Send private message
simplycorbett
n00b
n00b


Joined: 14 Mar 2024
Posts: 27

PostPosted: Thu Sep 12, 2024 7:45 pm    Post subject: Reply with quote

Hu wrote:
Rather than create the file on the partition and then move it, why not create it where you want it to be? Likewise, there is no need to move the tar file back onto the encrypted partition before unpacking it.


TBH I have very little understanding of the tar command. It’s just something I copy/pasted from an article years ago that works for me. I’ve kept it saved in my notes.

You’re right, you don’t have to move the file back. I use a storage server and use scp to move the file. If it’s on a locally mounted drive it should be okay.
Back to top
View user's profile Send private message
saturnalia0
Apprentice
Apprentice


Joined: 13 Oct 2016
Posts: 158

PostPosted: Mon Sep 23, 2024 2:25 pm    Post subject: Reply with quote

Just in case it's useful for anyone finding themselves here through a web search, this is what I ended up doing and worked well for me:

1. Create a /home partition in a new drive

For this just follow the handbook: https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Disks#Partitioning_the_disk_with_GPT_for_UEFI

Create the partition but not the filesystem.

2. Setup encrypted storage for the partition

Basically follow the wiki: https://wiki.gentoo.org/wiki/Dm-crypt

I've upgraded the wiki page with some details that I found useful.

3. Move to the new home

With the encrypted partition created, manually opened, and mounted to /mnt/home, copy the files to the encrypted home:

Code:

rsync -av /home/ /mnt/home/
mv /home /old_home


Then finish dm-crypt setup per the aforementioned wiki, editing fstab such that the new encrypted home is auto-mounted to /home once the unencrypted UUID becomes available.

I've decided to move the old home and once I verified everything is working / after a baking period I intend to shred the old files (see https://wiki.archlinux.org/title/Securely_wipe_disk).

I did not need pam_mount in the end, as I'm prompted for the password on boot, which is fine for my single (physical) user setup.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum