Encrypting Data Partitions
Posted: 24 Aug 2005
Applies To:
- SUSE LINUX Enterprise Server
- SUSE LINUX Professional
- Novell Linux Desktop
- Open Enterprise Server
Note: If the password for an
encrypted partition is forgotten, all data will be unrecoverable!
YaST includes the option to encrypt partitions. It is a good idea to encrypt
any partitions that contain sensitive data.
- In the YaST Partitioner create a new partition as normal:
- Select 'Create.'
- Select the disk to create the partition on.
- Select whether a primary or extended partition should be created (if
prompted).
- In the create partition dialog, select a filesystem (other than swap or
FAT) and a mount point. Note that you CANNOT encrypt /, /usr, /boot, or swap.
- Select a size for the partition.
- Check "Encrypt File System" and select 'OK'.
- Enter a password and select 'OK'.
The encrypted filesystem is created and its entry is added /etc/cryptotab.
For example: # cat /etc/cryptotab /dev/loop0 /dev/sdb1 /encrypted_mount_point reiserfs
twofish256,acl,user_xattr
When the system boots, a password is required before the filesystem is
mounted: Activating crypto devices using /etc/cryptotab ... Please enter passphrase for /dev/sdb1:
It can be mounted and unmounted with the /etc/init.t/boot.crypto script. For
example:
To mount: /etc/init.d/boot.crypto start
To unmount: /etc/init.d/boot.crypto stop
Alternatively, the mount commands can be used directly.
To mount an encrypted partition, a loopback device must first be established:
# losetup -e twofish256 /dev/loop0 /dev/sdb1 Password:
Then, the loopback device can be mounted: # mount /dev/loop0 /encrypted_mount_point
To unmount, simply use the umount command then delete the loopback device:
# umount /encrypted_mount_point # losetup -d /dev/loop0
Note that if you get an error like "mount: you must specify the filesystem
type" when mounting, you may have entered the wrong password. Delete the
loopback device and try again.
|