encryption for home partition and backups

Bob Jonkman bjonkman-w5ExpX8uLjYAvxtiuMwx3w at public.gmane.org
Sat Nov 30 17:07:50 UTC 2013


Giles Orr wrote:
> As for swap - leaving it unencrypted is a huge security hole, but
> encrypting it is a huge PITA (as I understand it - I haven't done it)
> if you use either suspend or especially hibernate.


I've used an unencrypted swap LV as part of my encrypted LVM, and I've
also used an encrypted swap in an ordinary partition. In both cases
suspend works fine, but hibernate doesn't. Other than that, I don't
notice any performance difference from a completely unencrypted swap. Of
course, with 8GB RAM there's not a lot of swapping.

A quick search[1] shows plenty of solutions. This one looks promising:

https://help.ubuntu.com/community/EnableHibernateWithEncryptedSwap

I may try to implement that during the quiet lulls of the global
seasonal celebrations.

--Bob.

[1] https://ixquick.com/do/metasearch.pl?query=encrypted+swap+hibernate


On 13-11-30 08:03 AM, Giles Orr wrote:
> On 29 November 2013 21:02, Alex Volkov <avolkov-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> 
>> I'm using a laptop running Debian Jesse on an LVM (with separate
>> /home and swap partitions).
>> 
>> Is it possible to convert current system to encrypted /home and
>> swap volumes without reinstalling everything from scratch? I'm fine
>> with copying all the existing data to an external hard drive
>> reformatting the partition to something that supports encryption
>> and then copying everything back. If found cryptosetup and LUCKS
>> being mentioned in several places, has anyone tried using these
>> tools?
>> 
>> As a related question, is it possible to have an encrypted file on
>> an existing filesystem which I can access by mounting and then
>> dumping rsync stream into it? Sort of what TrueCrypt is doing only
>> 100% open source and preferably implemented using fusefs.
>> 
> 
> I've been using an encrypted /home/ for a year and a bit.  My system 
> partition and swap are unencrypted.  As Bob says, you can encrypt 
> everything but /boot/ : I haven't tried that, as it's a bit more of
> a hassle and my main concern is my own documents, not my OS.  As for
> swap - leaving it unencrypted is a huge security hole, but encrypting
> it is a huge PITA (as I understand it - I haven't done it) if you use
> either suspend or especially hibernate.  Do your reading (or ask
> around here).
> 
> Note that I started with a new system and so didn't have to migrate
> data as you'll have to.  I would suggest moving /home/ off to an
> external drive, encrypting the /home/ partition, and moving the data
> back - if you're okay with an unencrypted OS partition, this will be
> easiest.  If you're in the mood to improve your system, Bob is right:
> LVM would be better (although I don't use it myself as I'm lazy and
> it adds complexity even while making volume management immensely
> easier ... I just don't juggle partitions enough for it to be
> worthwhile.)
> 
> I've been pretty happy with LUKS and cryptsetup: I do rotating
> backups to multiple external hard drives, all of which are encrypted.
> When I plug them in LXDE asks for a password to mount, and after that
> the space is treated exactly like a normal partition.  I use rsync to
> do the backups, so yes - very easy to use.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://gtalug.org/pipermail/legacy/attachments/20131130/86893d65/attachment.sig>


More information about the Legacy mailing list