To protect data in home directories against theft and hard disk removal, use the LUKS framework to encrypt user home directories. LUKS creates an image and an image key. The image key is protected with the user's login password. By default, the image and the image key are located in the respective user's home directory. The key can also be located anywhere in the file system—for example, on a removable device that can be mounted manually.
Use the YaST user management module or the
cryptconfig command line tool to enable encryption of
home directories. You can create encrypted home directories for new or
existing users. To encrypt or modify encrypted home directories of already
existing users, enter the user's current login password. For information about user management with YaST, refer to
Section 5.0, Managing Users with YaST,
(↑ Start-Up ).
WARNING: Security Restrictions
Encrypting a user's home directory does not provide strong security from other users. If strong security is required, the system should not be shared physically.
To enhance security, also encrypt the swap partition and the /tmp and /var/tmp directories, because these may contain temporary images of critical data.
You can encrypt swap, /tmp, and /var/tmp with the YaST partitioner as described in Section 40.1.1, Creating an Encrypted Partition during Installation and Section 40.1.3, Creating an Encrypted File as a Container. In addition to the options YaST, you can use the cryptconfig command line tool for some special tasks.
For example, you can create and add an additional key to the image.
Log in to a shell as root.
Run
cryptconfig create-key admin.key
to create a key for administrators.
To create an encrypted home directory for user tux and to add the administration key to it, enter
cryptconfig make-ehd --extra-key-file=admin.key tux 200
This creates a home directory with the initial size of 200 MB.
To change the size of the home directory at any time, use
cryptconfig enlarge-size image size_to_add_in_MB
For more information about the command line tool, run the cryptconfig --help command.
Internally, the home directory is provided by means of the pam module pam_mount. If you need to add an additional login method that provides encrypted home directories, you may have to add this module to the respective configuration file in /etc/pam.d/. For more information see also Section 18.0, Authentication with PAM and the man page of pam_mount.