36.1 Setting Up an Encrypted File System with YaST
Use YaST to encrypt partitions or parts of your file system during
installation or in an already installed system. However, encrypting a
partition in an already installed system is more difficult, because you
have to resize and change existing partitions. In such cases, it may be
more convenient to create an encrypted file of a defined size in which to
store other files or parts of your file system. To
encrypt an entire partition, dedicate a partition for encryption in the
partition layout. The standard partitioning proposal as suggested by
YaST, does not include an encrypted partition, by default. Add it
manually in the partitioning dialog.
36.1.1 Creating an Encrypted Partition during Installation
WARNING: Password Input
Make sure to memorize the password for your encrypted partitions well.
Without that password you cannot access or restore the encrypted data.
The YaST expert dialog for partitioning offers the options needed for
creating an encrypted partition. To create a new encrypted partition
proceed as follows:
Run the YaST Partitioner from the YaST Control Center with
Click and select a primary or a logical
Select the desired file system, size and mount point of this
If the encrypted file system should only be mounted when necessary,
enable in the
Activate the check box.
Click . You will be prompted for a password that
is used to encrypt this partition. This password is not displayed. To
prevent typing errors, enter the password twice.
Complete the process by clicking . The new
encrypted partition is now created.
The operating system requests the password while booting before mounting
the partition. The partition is available to all users once it has been
To skip mounting the encrypted partition during start-up, click
Enter when prompted for the password. Then decline the
offer to enter the password again. In this case, the encrypted file
system is not mounted and the operating system continues booting,
blocking access to your data.
When you are installing your system on a machine where several
partitions already exist, you can also decide to encrypt an existing
partition during installation. In this case follow the description in
Section 36.1.2, Creating an Encrypted Partition on a Running System and be aware that this action
destroys all data on the existing partition to encrypt.
36.1.2 Creating an Encrypted Partition on a Running System
WARNING: Activating Encryption on a Running System
It is also possible to create encrypted partitions on a running system.
However, encrypting an existing partition destroys all data on it and
requires resizing and restructuring of existing partitions.
On a running system, select Section 36.1.1, Creating an Encrypted Partition during Installation.
in the YaST Control
Center. Click to proceed. In the , select the partition to encrypt and click
. The rest of the procedure is the same as
36.1.3 Creating an Encrypted File as a Container
Instead of using a partition, it is possible to create an encrypted file
of a certain size that can then hold other files or folders containing
confidential data. Such container files are created from the YaST
Expert Partitioner dialog. Select
enter the full path to the file and its size. Accept or change the
proposed formatting settings and the file system type. Specify the mount
point and decide whether the encrypted file system should be mounted at
system boot. Make sure that the checkbox is activated.
The advantage of encrypted container files over encrypted partitions is
that they can be added without repartitioning the hard disk. They are
mounted with the help of a loop device and behave just like normal
36.1.4 Encrypting the Content of Removable Media
YaST treats removable media like external hard disks or USB flash
drives the same as any other hard disk. Container files or partitions on
such media can be encrypted as described above. However, enable
in the dialog, because removable media are usually only
connected while the system is running.
If you have encrypted your removable device with YaST, the KDE and
GNOME desktops automatically recognize the encrypted partition and
prompt for the password when the device is detected. If you plug in a
FAT formatted removable device while running KDE or GNOME, the desktop
user entering the password automatically becomes the owner of the device
and can read and write files. For devices with a file system other than
FAT, change the ownership explicitly for users other than root to
enable these users to read or write files on the device.