Every user has some confidential data that third parties should not be able to access. The more connected and mobile you are, the more carefully you should handle your data. The encryption of files or entire partitions is recommended if others have access over a network connection or direct physical access.
|Encrypted Media Is Limited Protection|
Be aware that with the methods described in this section, you cannot protect your running system from being compromised. After the encrypted media is successfully mounted, everybody with appropriate permissions has access to it. Encrypted media makes sense if you lose your computer or it is stolen and unauthorized individuals want to read your confidental data.
The following list features a number of imaginable usage scenarios.
If you travel with your laptop, it is a good idea to encrypt hard disk partitions containing confidential data. If you lose your laptop or if it is stolen, your data will be out of reach if it resides in an encrypted file system or a single encrypted file.
USB flash drives or external hard disks are as prone to being stolen as laptops. An encrypted file system provides protection against third-party access.
In companies where almost everyone has access to your computer, it can makes sense to encrypt partition or single files.
YaST offers the encryption of files or partitions during installation as well as in an already installed system. An encrypted file can be created at any time, because it fits nicely in an existing partition layout. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. The standard partitioning proposal as suggested by YaST does not, by default, include an encrypted partition. Add it manually in the partitioning dialog.
Observe the warnings about password security when setting the password for encrypted partitions and memorize it well. Without the password, the encrypted data cannot be accessed or restored.
The YaST expert dialog for partitioning, described in Section 2.5.6, “Partitioner” (↑Start-Up), offers the options needed for creating an encrypted partition. Click like when creating a regular partition. In the dialog that opens, enter the partitioning parameters for the new partition, such as the desired formatting and the mount point. Complete the process by clicking . In the following dialog, enter the password twice. The new encrypted partition is created after the partitioning dialog is closed by clicking . While booting, the operating system requests the password before mounting the partition.
If you do not want to mount the encrypted partition during start-up, click Enter when prompted for the password. Then decline the offer to enter the password again. In this case, the encrypted file system is not mounted and the operating system continues booting, blocking access to your data. The partition is available to all users once it has been mounted.
If the encrypted file system should only be mounted when necessary,
Enter the password when prompted to do so.
After finishing your work with the partition, unmount it with
to protect it from access by other users.
|Activating Encryption in a Running System|
It is also possible to create encrypted partitions on a running system like during installation. However, encrypting an existing partition destroys all data on it.
On a running system, select+ in the YaST control center. Click to proceed. Instead of selecting as mentioned above, click . The rest of the procedure is the same.
Instead of using a partition, it is possible to create encrypted file systems within single files for holding confidential data. These are created from the same YaST dialog. Selectand enter the path to the file to create along with its intended size. Accept the proposed formatting settings and the file system type. Then specify the mount point and decide whether the encrypted file system should be mounted when the system is booted.
The advantage of encrypted files is that they can be added without repartitioning the hard disk. They are mounted with the help of a loop device and behave just like normal partitions.
The disadvantage of using encrypted partitions is that while
the partition is mounted, at least
root can access the data.
To prevent this, vi can be used in encrypted mode.
filename to edit a new file. vi prompts you to
set a password, after which it encrypts the content of the file. Whenever
you access this file, vi requests the correct password.
For even more security, you can place the encrypted text file in an encrypted partition. This is recommended because the encryption used in vi is not very strong.
YaST treats removable media like external hard disks or USB flash drives like any other hard disk. Files or partitions on such media can be encrypted as described above. However, do not select to mount these media when the system is booted, because they are usually only connected while the system is running.