Disk encryption in F9

[Marc Schwartz]

Bill Davidsen <davidsen at tmr.com> writes:

> Marc Schwartz wrote:
>> Rahul Sundaram <sundaram at fedoraproject.org> writes:
>>
>>> Jan Welker wrote:
>>>> Hi there,
>>>>
>>>> I created multiple encrypted partitions on my Fedora 9 system. All
>>>> of them do have the same password. But I have to enter the password
>>>> for each partition (all together 3 times). Is there a way to enter
>>>> one password for all partitions since they are all the same?
>>> Not yet. This is filed as a RFE at
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=446567
>>>
>>> Rahul
>>
>> That has been an issue for a while, at least for me, under prior
>> versions of Fedora using dm-crypt/luks.
>>
>> With F9, I took a different approach, which was to create a clear
>> partition for /boot and then use LVM to create an encrypted partition group
>> for everything else (eg. /, /home, etc.).
>>
>> Thus, I only get prompted once for the LUKS passphrase at boot.
>>
> I get prompted at boot, but I would have expected to be prompted when
> the f/s was mounted. I wanted to have certain users in a secure f/s,
> /home/secure/USER, where /home/secure was mounted with automount when
> one of those users logged in. I won't say it can't work that way, just
> that right now it doesn't. ;-)
>
> Otherwise FC9 looks acceptably smooth for a new release.

By default, unless you have modified /etc/fstab to set 'noauto' on the
relevant partitions, they will all be mounted at boot and you would be
prompted at that time for the passphrase(s).

I am working on about two hours of sleep, so forgive any incoherence
here, but if you only want the partitions mounted when a user logs in
and then unmounted when the user logs out, you will have to set the
relevant entries in /etc/fstab to 'noauto' and modify the appropriate
global scripts. 

You don't indicate if this is on a protected server or a physically
accessible desktop or laptop. That would impact the 'global' approach
that you take with respect to security. 

Keep in mind that appropriate access controls can restrict one user from
accessing another user's home tree. That is easier to implement and
manage if this is a protected server, where the user does not have
physical access to the box.

If this is a stand-alone desktop or laptop, where multiple users have
physical access to the system or worse, can walk off with it or the HD,
then you need to consider the practical requirements for creating
encrypted partitions in this manner.

I might consider setting up a primary home tree for each user with a
SysAdmin based passphrase entered at boot. Then each user can log in to
that primary home tree. 

Once logged in, if they need to encrypt files they can do so
individually with something like PGP. If they need this to be
'transparent' as would otherwise be provided by dm-crypt/LUKS, you could
set up separate user specific partitions, each with its own
passphrase. These would be separate from the user's main tree in
/home. You can then modify the user specific scripts in their home trees
to mount and prompt them for the passphrase post-login and then clear
and unmount it when they logout.

Whatever you do, if you are the SysAdmin, I would be sure to add a
second LUKS key to each of the user's partitions so that in the event of
an emergency, you can access any data that you need, lest they hold you
hostage over it.

HTH,

Marc Schwartz