4.3. Encrypting Partitions and Files

Every user has some confidential data that third parties should not be able to access. The more connected and mobile you are, the more carefully you should handle your data. The encryption of files or entire partitions is recommended if others have access over a network connection or direct physical access.

[Warning]Encrypted Media Is Limited Protection

Be aware that with the methods described in this section, you cannot protect your running system from being compromised. After the encrypted media is successfully mounted, everybody with appropriate permissions has access to it. Encrypted media makes sense if you lose your computer or it is stolen and unauthorized individuals want to read your confidental data.

The following list features a number of imaginable usage scenarios.

Laptops

If you travel with your laptop, it is a good idea to encrypt hard disk partitions containing confidential data. If you lose your laptop or if it is stolen, your data will be out of reach if it resides in an encrypted file system or a single encrypted file.

Removable Media

USB flash drives or external hard disks are as prone to being stolen as laptops. An encrypted file system provides protection against third-party access.

Workstations

In companies where almost everyone has access to your computer, it can makes sense to encrypt partition or single files.

4.3.1. Setting Up a Crypto File System with YaST

YaST offers the encryption of files or partitions during installation as well as in an already installed system. An encrypted file can be created at any time, because it fits nicely in an existing partition layout. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. The standard partitioning proposal as suggested by YaST does not, by default, include an encrypted partition. Add it manually in the partitioning dialog.

4.3.1.1. Creating an Encrypted Partition during Installation

[Warning]Password Input

Observe the warnings about password security when setting the password for encrypted partitions and memorize it well. Without the password, the encrypted data cannot be accessed or restored.

The YaST expert dialog for partitioning, described in Section 2.5.6, “Partitioner” (↑Start-Up), offers the options needed for creating an encrypted partition. Click Create like when creating a regular partition. In the dialog that opens, enter the partitioning parameters for the new partition, such as the desired formatting and the mount point. Complete the process by clicking Encrypt File System. In the following dialog, enter the password twice. The new encrypted partition is created after the partitioning dialog is closed by clicking OK. While booting, the operating system requests the password before mounting the partition.

If you do not want to mount the encrypted partition during start-up, click Enter when prompted for the password. Then decline the offer to enter the password again. In this case, the encrypted file system is not mounted and the operating system continues booting, blocking access to your data. The partition is available to all users once it has been mounted.

If the encrypted file system should only be mounted when necessary, enable Do Not Mount During Booting in the fstab Options dialog. The respective partition will not be mounted when the system is booted. To make it available afterwards, mount it manually with mount name_of_partition mount_point. Enter the password when prompted to do so. After finishing your work with the partition, unmount it with umount name_of_partition to protect it from access by other users.

4.3.1.2. Creating an Encrypted Partition on a Running System

[Warning]Activating Encryption in a Running System

It is also possible to create encrypted partitions on a running system like during installation. However, encrypting an existing partition destroys all data on it.

On a running system, select System+Partitioning in the YaST control center. Click Yes to proceed. Instead of selecting Create as mentioned above, click Edit. The rest of the procedure is the same.

4.3.1.3. Installing Encrypted Files

Instead of using a partition, it is possible to create encrypted file systems within single files for holding confidential data. These are created from the same YaST dialog. Select Crypt File and enter the path to the file to create along with its intended size. Accept the proposed formatting settings and the file system type. Then specify the mount point and decide whether the encrypted file system should be mounted when the system is booted.

The advantage of encrypted files is that they can be added without repartitioning the hard disk. They are mounted with the help of a loop device and behave just like normal partitions.

4.3.1.4. Using vi to Encrypt Files

The disadvantage of using encrypted partitions is that while the partition is mounted, at least root can access the data. To prevent this, vi can be used in encrypted mode.

Use vi -x filename to edit a new file. vi prompts you to set a password, after which it encrypts the content of the file. Whenever you access this file, vi requests the correct password.

For even more security, you can place the encrypted text file in an encrypted partition. This is recommended because the encryption used in vi is not very strong.

4.3.2. Encrypting the Content of Removable Media

YaST treats removable media like external hard disks or USB flash drives like any other hard disk. Files or partitions on such media can be encrypted as described above. However, do not select to mount these media when the system is booted, because they are usually only connected while the system is running.