openSUSE 10.3 verschlüsselte partitionen

[Sensei21]

Hi,

wie schaut's eigentlich mit der unterstützung von verschlüsselten /home partitionen aus?

welche version von cryptsetup wird mitgeliefert ?

vielen Dank im Voraus

Lg

freak01

 

[limoni]

cryptsetup -?
cryptsetup 1.0.5
Usage: cryptsetup [OPTION...] <action> <action-specific>]
  -v, --verbose               Shows more detailed error messages
  -c, --cipher=STRING         The cipher used to encrypt the disk (see
                              /proc/crypto) (default: null)
  -h, --hash=STRING           The hash used to create the encryption key from
                              the passphrase (default: "ripemd160")
  -y, --verify-passphrase     Verifies the passphrase by asking for it twice
  -d, --key-file=STRING       Read the key from a file (can be /dev/random)
  -s, --key-size=BITS         The size of the encryption key (default: 0)
  -b, --size=SECTORS          The size of the device
  -o, --offset=SECTORS        The start offset in the backend device
  -p, --skip=SECTORS          How many sectors of the encrypted data to skip
                              at the beginning
  -r, --readonly              Create a readonly mapping
  -i, --iter-time=msecs       PBKDF2 iteration time for LUKS (in ms)
  -q, --batch-mode            Do not ask for confirmation
  --version                   Print package version
  -t, --timeout=secs          Timeout for interactive passphrase prompt (in
                              seconds)
  -T, --tries=INT             How often the input of the passphrase can be
                              retried
  --align-payload=SECTORS     Align payload at <n> sector boundaries - for
                              luksFormat

Help options:
  -?, --help                  Show this help message
  --usage                     Display brief usage

<action> is one of:
        create <name> <device> - create device
        remove <name> - remove device
        reload <name> - modify active device
        resize <name> - resize active device
        status <name> - show device status
        luksFormat <device> [<new key file>] - formats a LUKS device
        luksOpen <device> <name>  - open LUKS device as mapping <name>
        luksDelKey <device> <key slot> - wipes key with number <key slot> from LUKS device
        luksAddKey <device> [<new key file>] - add key to LUKS device
        luksUUID <device> - print UUID of LUKS device
        isLuks <device> - tests <device> for LUKS partition header
        luksClose <name> - remove LUKS mapping
        luksDump <device> - dump LUKS partition information

<name> is the device to create under /dev/mapper
<device> is the encrypted device
<key slot> is the LUKS key slot number to modify
<key file> optional key file for the new key for luksAddKey action

Siehe auch die Doku:
40.0 Encrypting Partitions and Files

There are several ways to protect your data by means of encryption:
...
Encrypting a Hard Disk Partition
...
Creating an Encrypted File as Container
...
Encrypting Home Directories
...
Encrypting Single Files
...

http://www.novell.com/documentation/opensuse103/opensuse103_reference/data/cha_cryptofs.html

hth

edit:
noch einige zusätzliche Infos aus den Release Notes:

Changes in Setting up Encrypted Partitions

The back-end technology of boot.crypto has been changed from cryptoloop to dm-crypt.

Any old /etc/cryptotab will work unmodified on openSUSE 10.3 (modulo hdX->sdX issues due to libata changes—see above). Additionally, /etc/crypttab (note the missing 'o') is now supported which also inluding support for LUKS volumes. In contrast to previous releases boot.crypto is no longer enabled by default. YaST enables it if you create an encrypted volume with YaST. You can also manually enable it with the following command:

chkconfig boot.crypto on

It is still possible to use cryptoloop via losetup and mount. Since we dropped the crude loop-AES patch from the util-linux package, some parameters for losetup (such as itercountk and pseed) no longer exist. If any of these settings are used in /etc/fstab the device cannot be mounted directly any more. Migrate these settings to /etc/crypttab where boot.crypto contains the necessary compatability code.

http://www.suse.com/relnotes/i386/openSUSE/10.3/RELEASE-NOTES.en.html

gruss, limoni

 

[Sensei21]

der haken an der ganzen sache scheint zu sein, dass ich handarbeit anlegen muss, wenn ich eine bereits bestehende /home partition, die verschlüsselt ist, nutzen will

oder seh ich das falsch ?

mein motto:
wenn clicki-bunti, dann komplett klicki bunti & wenn das nicht geht, kann ich genauso gut bei gentoo bleiben

 

[Sensei21]

sorry für den doppelpost:

ha ! ich wusste es ich musste die /home partition löschen

die verschlüsselung ist auch nicht das wahre -> verbesserungsvorschlag: auswahl der methode, die vorgeschlagene

aes-essiv-cbc ist mittlerweile nämlich schon wieder altbacken, darum msuste ich sie manuell erstellen, auf jedenfall ist zu loben, dass man verschlüsselte swapfiles & partitionen erstellen kann - während dem Setup !!!

naja, 180 GB syncen geht ja ganz schnell

openSUSE ftw (hab's übrigens jetzt drauf) & hat nur ungefähr 1/2 stunde gedauert *freu*