Daniel Barrett wrote: > > I'm thinking about encrypting the /home partition on an Ubuntu box. > Is there a way to do it so I'm prompted for the decryption passphrase > when I log in or SSH in, not at boot time? I don't want to enter the > passphrase during the boot process because I want to permit unattended > reboots. >
You can do a directory (per-user encryption) or a filesystem (/home, which is what you asked for) or a full disk. Full disk requires boot-time passphrase entry; the others do not. The kernel built-in crypto system is handled by either cryptsetup or cryptmount. Cryptsetup is generally used for full-disk or similar "don't boot without passphrase" systems; cryptmount is what you are looking for. You can also use encfs, which is an overlay filesystem. It provides less metadata security -- any user can see the number of files, what perms they have, a lower bound on their size, and atime/mtime stats. On the other hand, it's a lot easier to experiment with. Avoid ecryptfs, which was widely supported earlier but now has no maintainer in Ubuntu or Debian: https://help.ubuntu.com/community/EncryptedPrivateDirectory uses ecryptfs. http://manpages.ubuntu.com/manpages/disco/man8/cryptmount.8.html is the helpful manpage for cryptmount. -dsr- _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
