48.1 Setting Up a Crypto File System with YaST
Use YaST to encrypt partitions or parts of your
file system during installation or in an already installed
system. However, encrypting a partition in an already installed
system is more difficult because you have to resize and change
existing partitions. In such cases, it may be more convenient to
create an encrypted file of a defined size in which to
store other files or parts of your file
system. To encrypt an entire partition, dedicate a partition for
encryption in the partition layout. The standard partitioning
proposal as suggested by YaST does not, by default, include
an encrypted partition. Add it manually in the partitioning
dialog.
48.1.1 Creating an Encrypted Partition during Installation
WARNING: Password Input
Observe the warnings about password security when setting
the password for encrypted partitions and memorize it well.
Without the password, the encrypted data cannot be accessed or
restored.
The YaST expert dialog for partitioning, described in
Section 7.5.8,
Partitioner, offers the
options needed for creating an encrypted partition. To create a
new encrypted partition, click
. In the dialog that opens, enter the partitioning
parameters for the new partition, such as the desired formatting
and the mount point. Complete the process by clicking
. In the following
dialog, enter the password twice. The new encrypted partition is
created after the partitioning dialog is closed by clicking
. While booting, the operating system
requests the password before mounting the partition.
If you do not want to mount the encrypted partition during
start-up, click Enter when prompted for the
password. Then decline the offer to enter the password again. In
this case, the encrypted file system is not mounted and the
operating system continues booting, blocking access to your
data. The partition is available to all users once it has been
mounted.
If the encrypted file system should only be mounted when
necessary, enable
in the dialog. The respective
partition will not be mounted when the system is booted. To make
it available afterwards, mount it manually with mount
name_of_partition mount_point
. Enter the password when prompted to do
so. After finishing your work with the partition, unmount it
with
umount name_of_partition
to protect it from access by other users.
When you are installing your system on a machine
where several partitions already exist, you can also
decide to encrypt an existing partition during installation. In
this case follow the description in Section 48.1.2,
Creating an Encrypted Partition on a Running System and be aware that this
action destroys all data on the existing partition
to encrypt.
48.1.2 Creating an Encrypted Partition on a Running System
WARNING: Activating Encryption in a Running System
It is also possible to create encrypted partitions on a
running system. However, encrypting an existing partition
destroys all data on it and requires resize and restructuring
of existing partitions.
On a running system, select in the YaST control center. Click
to proceed. Instead of selecting
as mentioned above, click
. The rest of the procedure is the same
as in Section 48.1.1,
Creating an Encrypted Partition during Installation.
48.1.3 Creating an Encrypted File as a Container
Instead of using a partition, it is possible to create an
encrypted file of a certain size that can then hold other files
or folders containing confidential data. Such container
files are created from the same YaST dialog. Select
and enter the path to the file
to create along with its intended size. Accept the proposed
formatting settings and the file system type. Then specify the
mount point and decide whether the encrypted file system should
be mounted when the system is booted.
The advantage of encrypted container files is that they can
be added without repartitioning the hard disk. They are mounted
with the help of a loop device and behave just like normal
partitions.
48.1.4 Encrypting the Content of Removable Media
YaST treats removable media like external hard disks
or USB flash drives the same as any other hard disk. Container files or
partitions on such media can be encrypted as described above.
However, do not select to mount these media when the system is
booted, because they are usually only connected while the system
is running.