pam_apparmor
Encrypting files, partitions, and entire disks prevents unauthorized access to your data and protects your confidential files and documents.
You can choose between the following encryption options:
It is possible to create an encrypted partition with YaST during installation or in an already installed system. For further info, see Section 11.1.1, “Creating an Encrypted Partition during Installation” and Section 11.1.2, “Creating an Encrypted Partition on a Running System”. This option can also be used for removable media, such as external hard disks, as described in Section 11.1.4, “Encrypting the Content of Removable Media”.
You can create a file-based encrypted virtual disk on your hard disk or a removable medium with YaST. The encrypted virtual disk can then be used as a regular folder for storing files or directories. For more information, refer to Section 11.1.3, “Creating an Encrypted Virtual Disk”.
With openSUSE Leap, you can also create encrypted user home directories. When the user logs in to the system, the encrypted home directory is mounted and the contents are made available to the user. Refer to Section 11.2, “Using Encrypted Home Directories” for more information.
To quickly encrypt one or several files, you can use the GPG tool. See Section 11.3, “Encrypting Files with GPG” for more information.
Encryption methods described in this chapter cannot protect your running system from being compromised. After the encrypted volume is successfully mounted, everybody with appropriate permissions can access it. However, encrypted media are useful in case of loss or theft of your computer, or to prevent unauthorized individuals from reading your confidential data.
Use YaST to encrypt partitions or parts of your file system during installation or in an already installed system. However, encrypting a partition in an already-installed system is more difficult, because you need to resize and change existing partitions. In such cases, it may be more convenient to create an encrypted file of a defined size, in which to store other files or parts of your file system. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. The standard partitioning proposal as suggested by YaST, does not include an encrypted partition by default. Add it manually in the partitioning dialog.
Make sure to memorize the password for your encrypted partitions well. Without that password, you cannot access or restore the encrypted data.
The YaST expert dialog for partitioning offers the options needed for creating an encrypted partition. To create a new encrypted partition proceed as follows:
Run the YaST Expert Partitioner with
› .Select a hard disk, click
, and select a primary or an extended partition.Select the partition size or the region to use on the disk.
Select the file system, and mount point of this partition.
Activate the
check box.After checking
, a pop-up window asking for installing additional software may appear. Confirm to install all the required packages to ensure that the encrypted partition works well.If the encrypted file system needs to be mounted only when necessary, enable
in the . otherwise enable and enter the mount point.Click
and enter a password which is used to encrypt this partition. This password is not displayed. To prevent typing errors, you need to enter the password twice.Complete the process by clicking
. The newly-encrypted partition is now created.
During the boot process, the operating system asks for the password
before mounting any encrypted partition which is set to be auto-mounted
in /etc/fstab
. Such a partition is then available
to all users when it has been mounted.
To skip mounting the encrypted partition during start-up, press Enter when prompted for the password. Then decline the offer to enter the password again. In this case, the encrypted file system is not mounted and the operating system continues booting, blocking access to your data.
To mount an encrypted partition which is not mounted during the boot process, open a file manager and click the partition entry in the pane listing common places on your file system. You will be prompted for a password and the partition will be mounted.
When you are installing your system on a machine where partitions already exist, you can also decide to encrypt an existing partition during installation. In this case follow the description in Section 11.1.2, “Creating an Encrypted Partition on a Running System” and be aware that this action destroys all data on the existing partition.
It is also possible to create encrypted partitions on a running system. However, encrypting an existing partition destroys all data on it, and requires re-sizing and restructuring of existing partitions.
On a running system, select Section 11.1.1, “Creating an Encrypted Partition during Installation”.
› in the YaST control center. Click to proceed. In the , select the partition to encrypt and click . The rest of the procedure is the same as described inInstead of encrypting a entire disk or partition, you can use YaST to set up a file-based encrypted virtual disk. It will appear as a regular file in the file system, but can be mounted and used like a regular folder. Unlike encrypted partitions, encrypted virtual disks can be created without re-partitioning the hard disk.
To set up an encrypted virtual disk, you need to create an empty file
first (this file is called loop file). In the terminal, switch to the
desired directory and run the touch
FILE
command (where
FILE is the desired name, for example: secret
). It is also recommended to create an empty
directory that will act as a mount point for the encrypted virtual
disk. To do this, use the mkdir
DIR
command (replace
DIR with the actual path and directory name,
for example: ~/my_docs
).
To set up an encrypted virtual disk, launch YaST, switch to the
~/my_docs
). Make sure that the
option is enabled and press
. Provide the desired password and press
.
YaST treats removable media (like external hard disks or flash disks) the same as any other storage device. Virtual disks or partitions on external media can be encrypted as described above. However, you should disable mounting at boot time, because removable media is usually connected only when the system is up and running.
If you encrypted your removable device with YaST, the GNOME desktop
automatically recognizes the encrypted partition and prompts for the
password when the device is detected. If you plug in a FAT-formatted
removable device when running GNOME, the desktop user entering the
password automatically becomes the owner of the device.
For devices with a file system other than FAT, change the
ownership explicitly for users other than root
to give them
read-write access to the device.
If you have created a virtual disk as described in Section 11.1.3, “Creating an Encrypted Virtual Disk” but with the loop file on a removable disk, then you need to mount the file manually as follows:
sudo cryptsetup luksOpen FILE NAME sudo mount /dev/mapper/NAME DIR
In the commands above, the FILE refers to the path to the loop file, NAME is a user-defined name, and DIR is the path to the mount point. For example:
sudo cryptsetup luksOpen /run/media/tux/usbstick/secret my_secret sudo mount /dev/mapper/my_secret /home/tux/my_docs
To protect data in home directories from unauthorized access, use the YaST user management module to encrypt home directories. You can create encrypted home directories for new or existing users. To encrypt or decrypt home directories of already existing users, you need to know their login password. See Book “Start-Up”, Chapter 3 “Managing Users with YaST”, Section 3.3.3 “Managing Encrypted Home Directories” for instructions.
Encrypted home partitions are created within a virtual disk as
described in Section 11.1.3, “Creating an Encrypted Virtual Disk”. Two
files are created under /home
for each encrypted
home directory:
LOGIN.img
The image holding the directory
LOGIN.key
The image key, protected with the user's login password.
On login, the home directory automatically gets decrypted. Internally, it
works through the PAM module called pam_mount. If
you need to add an additional login method that provides encrypted home
directories, you need to add this module to the respective configuration
file in /etc/pam.d/
. For more information, see
Chapter 2, Authentication with PAM and the man page of pam_mount
.
Encrypting a user's home directory does not provide strong security from other users. If strong security is required, the system should not be shared physically.
To enhance security, also encrypt the swap
partition and the /tmp
and
/var/tmp
directories, because these may contain
temporary images of critical data. You can encrypt
swap
, /tmp
, and
/var/tmp
with the YaST partitioner as
described in Section 11.1.1, “Creating an Encrypted Partition during Installation” or
Section 11.1.3, “Creating an Encrypted Virtual Disk”.
The GPG encryption software can be used to encrypt individual files and documents.
To encrypt a file with GPG, you need to generate a key pair first. To do
this, run the gpg --gen-key
and follow the on-screen
instructions. When generating the key pair, GPG creates a user ID (UID) to
identify the key based on your real name, comments, and email address. You
need this UID (or just a part of it like your first name or email address)
to specify the key you want to use to encrypt a file. To find the UID of an
existing key, use the gpg --list-keys
command. To encrypt
a file use the following command:
gpg -e -r UID FILE
Replace UID with part of the UID (for example, your first name) and FILE with the file you want to encrypt. For example:
gpg -e -r Tux secret.txt
This command creates an encrypted version of the specified file
recognizable by the .gpg
file extension (in
this example, it is secret.txt.gpg
).
To decrypt an encrypted file, use the following command:
gpg -d -o DECRYPTED_FILE ENCRYPTED_FILE
Replace DECRYPTED_FILE with the desired name for the decrypted file and ENCRYPTED_FILE with the encrypted file you want to decrypt.
Keep that the encrypted file can be only decrypted using the same key that was used for encryption. If you want to share an encrypted file with another person, you have to use that person's public key to encrypt the file.