Novell Home

Encrypting Data Partitions

Novell Cool Solutions: Feature
By Kirk Coombs

Rate This Page

Reader Rating  stars  from 8 ratings

Digg This - Slashdot This

Posted: 24 Aug 2005 		 

Applies To:

  • SUSE Linux Enterprise Server
  • SUSE Linux Professional
  • Novell Linux Desktop
  • Open Enterprise Server
Note: If the password for an encrypted partition is forgotten, all data will be unrecoverable!

YaST includes the option to encrypt partitions. It is a good idea to encrypt any partitions that contain sensitive data.

  1. In the YaST Partitioner create a new partition as normal:
    1. Select 'Create.'
    2. Select the disk to create the partition on.
    3. Select whether a primary or extended partition should be created (if prompted).
  2. In the create partition dialog, select a filesystem (other than swap or FAT) and a mount point. Note that you CANNOT encrypt /, /usr, /boot, or swap.
  3. Select a size for the partition.
  4. Check "Encrypt File System" and select 'OK'.
  5. Enter a password and select 'OK'.

The encrypted filesystem is created and its entry is added /etc/cryptotab. For example: 

# cat /etc/cryptotab
/dev/loop0   /dev/sdb1   /encrypted_mount_point      reiserfs \
   twofish256,acl,user_xattr

When the system boots, a password is required before the filesystem is mounted: 

Activating crypto devices using /etc/cryptotab ...
Please enter passphrase for /dev/sdb1:

It can be mounted and unmounted with the /etc/init.t/boot.crypto script. For example:

To mount: 

/etc/init.d/boot.crypto start

To unmount: 

/etc/init.d/boot.crypto stop

Alternatively, the mount commands can be used directly.

To mount an encrypted partition, a loopback device must first be established: 

# losetup -e twofish256 /dev/loop0 /dev/sdb1
Password:

Then, the loopback device can be mounted: 

# mount /dev/loop0 /encrypted_mount_point

To unmount, simply use the umount command then delete the loopback device: 

# umount /encrypted_mount_point
# losetup -d /dev/loop0

Note that if you get an error like "mount: you must specify the filesystem type" when mounting, you may have entered the wrong password. Delete the loopback device and try again.

Reader Comments

  • excellent info!
  • If / cannot be encrypted, then /etc/cryptotab is in the clear. How do we protect the passphrase from someone booting to single-user mode with a recovery disk? Aren't we encrypting the file system to protect against this very threat?
  • I won't assume that the password is in clear text in /etc/cryptotab. Hence you shouldn't have this thread

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2008 Novell, Inc. All Rights Reserved.