Hi,
I'm new to Fedora - been using Ubuntu for years. I just installed Fedora 14 to my laptop and selected to encrypt /home.
When I boot, I have to enter the password for the encrypted directory. Did I set it up wrong? I didn't expect to have to enter the password at boot but instead thought the login password would be enough.
Thanks!
Phil
On 04/24/2011 09:46 PM, ssc1478 wrote:
Hi,
I'm new to Fedora - been using Ubuntu for years. I just installed Fedora 14 to my laptop and selected to encrypt /home.
When I boot, I have to enter the password for the encrypted directory. Did I set it up wrong? I didn't expect to have to enter the password at boot but instead thought the login password would be enough.
Thanks!
Phil
It encrypts the partition, so when the system tries to mount /etc/fstab partitions, of which /home is likely one, it requires the password then.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/25/2011 09:48 AM, Digimer wrote:
On 04/24/2011 09:46 PM, ssc1478 wrote:
Hi,
I'm new to Fedora - been using Ubuntu for years. I just installed Fedora 14 to my laptop and selected to encrypt /home.
When I boot, I have to enter the password for the encrypted directory. Did I set it up wrong? I didn't expect to have to enter the password at boot but instead thought the login password would be enough.
Thanks!
Phil
It encrypts the partition, so when the system tries to mount /etc/fstab partitions, of which /home is likely one, it requires the password then.
alternately, you can setup /etc/crypttab so that the password is not entered manually.
All the best,
- -Greg
- -- +---------------------------------------------------------------------+
Please also check the log file at "/dev/null" for additional information. (from /var/log/Xorg.setup.log)
| Greg Hosler ghosler@redhat.com | +---------------------------------------------------------------------+
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 04/24/2011 11:58 PM, Gregory Hosler wrote:
alternately, you can setup /etc/crypttab so that the password is not entered manually.
All the best,
-Greg
Would this not then defeat the purpose of encrypting the partition ? :)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/25/2011 01:01 PM, Larry Brower wrote:
On 04/24/2011 11:58 PM, Gregory Hosler wrote:
alternately, you can setup /etc/crypttab so that the password is not entered manually.
All the best,
-Greg
Would this not then defeat the purpose of encrypting the partition ? :)
depends.
putting the passphrase into /etc/crypttab does make it readily available (which reduces the effectiveness of encrypting to begin with).
However ... crypttab has allowance of putting the passphrase into a file. By doing so, and then chown root:root combined with chmod 400, only the root user has availability of the passphrase. This allows the partition to be persistently mounted at boot time w/o directly compromising the passphrase.
Should someone crack the root account, you probably have more serious problems than worrying about the encrypted password...
:-)
All the best,
- -Greg
- -- +---------------------------------------------------------------------+
Please also check the log file at "/dev/null" for additional information. (from /var/log/Xorg.setup.log)
| Greg Hosler ghosler@redhat.com | +---------------------------------------------------------------------+
Around 10:34am on Monday, April 25, 2011 (UK time), Gregory Hosler scrawled:
putting the passphrase into /etc/crypttab does make it readily available (which reduces the effectiveness of encrypting to begin with).
However ... crypttab has allowance of putting the passphrase into a file. By doing so, and then chown root:root combined with chmod 400, only the root user has availability of the passphrase. This allows the partition to be persistently mounted at boot time w/o directly compromising the passphrase.
Should someone crack the root account, you probably have more serious problems than worrying about the encrypted password...
I see encryption's value aparticularly tparticularly defending against data loss because the computer has been stolen, where it could then be booted at run level 1. And possibly against access by an intruder into the building.
So not sure what value there is in setting up the encryption password in /etc/crypttab - or have I misunderstood something?
Steve
On Mon, Apr 25, 2011 at 6:48 AM, Steve Searle steve@stevesearle.com wrote:
Around 10:34am on Monday, April 25, 2011 (UK time), Gregory Hosler scrawled:
putting the passphrase into /etc/crypttab does make it readily available (which reduces the effectiveness of encrypting to begin with).
However ... crypttab has allowance of putting the passphrase into a file. By doing so, and then chown root:root combined with chmod 400, only the root user has availability of the passphrase. This allows the partition to be persistently mounted at boot time w/o directly compromising the passphrase.
Should someone crack the root account, you probably have more serious problems than worrying about the encrypted password...
I see encryption's value aparticularly tparticularly defending against data loss because the computer has been stolen, where it could then be booted at run level 1. And possibly against access by an intruder into the building.
So not sure what value there is in setting up the encryption password in /etc/crypttab - or have I misunderstood something?
Steve
This is exactly why I encrypt the home directory - to defend against theft. But entering the passphrase at every boot each time is not all that friendly.
On 25/04/2011 12:14, ssc1478 wrote:
On Mon, Apr 25, 2011 at 6:48 AM, Steve Searlesteve@stevesearle.com wrote:
Around 10:34am on Monday, April 25, 2011 (UK time), Gregory Hosler scrawled:
putting the passphrase into /etc/crypttab does make it readily available (which reduces the effectiveness of encrypting to begin with).
However ... crypttab has allowance of putting the passphrase into a file. By doing so, and then chown root:root combined with chmod 400, only the root user has availability of the passphrase. This allows the partition to be persistently mounted at boot time w/o directly compromising the passphrase.
Should someone crack the root account, you probably have more serious problems than worrying about the encrypted password...
I see encryption's value aparticularly tparticularly defending against data loss because the computer has been stolen, where it could then be booted at run level 1. And possibly against access by an intruder into the building.
So not sure what value there is in setting up the encryption password in /etc/crypttab - or have I misunderstood something?
Steve
This is exactly why I encrypt the home directory - to defend against theft. But entering the passphrase at every boot each time is not all that friendly.
could you not put the file on a removable device such as a usb stick that had to be there at boot time? not sure whether the usb drivers/ device is available then though??
On Mon, 2011-04-25 at 07:14 -0400, ssc1478 wrote:
I encrypt the home directory - to defend against theft. But entering the passphrase at every boot each time is not all that friendly.
I encrypt the main volume, which holds all the partitions. You get asked to enter a password before boot can get past the first few stages. Then everything acts like an unencrypted drive, as far as you're concerned.
Better that a thief can't boot things, at all. So they'll have a virtually useless computer, or they'll just install Windows on the laptop, erasing all your files in the process.
Hmm, I wonder if that's a good choice to stick into the GRUB menu for a laptop that might be stolen? A "Re-install Windows" item that fires up some procedure that wipes drive and starts an installation, of some sort.
2011/4/25 ssc1478 ssc1478@aim.com
On Mon, Apr 25, 2011 at 6:48 AM, Steve Searle steve@stevesearle.com wrote:
Around 10:34am on Monday, April 25, 2011 (UK time), Gregory Hosler
scrawled:
putting the passphrase into /etc/crypttab does make it readily available
(which
reduces the effectiveness of encrypting to begin with).
However ... crypttab has allowance of putting the passphrase into a
file. By
doing so, and then chown root:root combined with chmod 400, only the
root user
has availability of the passphrase. This allows the partition to be
persistently
mounted at boot time w/o directly compromising the passphrase.
Should someone crack the root account, you probably have more serious
problems
than worrying about the encrypted password...
I see encryption's value aparticularly tparticularly defending against data loss because the computer has been stolen, where it could then be booted at run level 1. And possibly against access by an intruder into the building.
So not sure what value there is in setting up the encryption password in /etc/crypttab - or have I misunderstood something?
Steve
This is exactly why I encrypt the home directory - to defend against theft. But entering the passphrase at every boot each time is not all that friendly.
I have the same setup - but I let GDM autologin into Gnome. So, on a cold-boot, I still have to enter just one password.
Gregory Hosler wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/25/2011 09:48 AM, Digimer wrote:
On 04/24/2011 09:46 PM, ssc1478 wrote:
Hi,
I'm new to Fedora - been using Ubuntu for years. I just installed Fedora 14 to my laptop and selected to encrypt /home.
When I boot, I have to enter the password for the encrypted directory. Did I set it up wrong? I didn't expect to have to enter the password at boot but instead thought the login password would be enough.
Thanks!
Phil
It encrypts the partition, so when the system tries to mount /etc/fstab partitions, of which /home is likely one, it requires the password then.
alternately, you can setup /etc/crypttab so that the password is not entered manually.
This adds no security at all from the encryption. The only reason to use encryption and then build in the pass phrase is to allow you to claim that the data was encrypted if you lose the machine, therefore giving you legal cover if the data you lost belongs to customers. I can't decide if that's a sleazy legal trick to provide cover without the effort to have security, or if it just shows how little the average user knows about security in the first place.
Reading the pass phrase from a device like a thumb drive is only useful if the thumb drive is not with the computer. It is possible to have one laptop which allows access to multiple things based on the password offered. I've never been interested enough to generate a real use case, but it seems that LUKS actually supports this.
If access is convenient for you it will be convenient for an unauthorized user as well.
All the best,
- -Greg
+---------------------------------------------------------------------+
Please also check the log file at "/dev/null" for additional information. (from /var/log/Xorg.setup.log)
| Greg Hosler ghosler@redhat.com | +---------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk20/4UACgkQ404fl/0CV/ThcQCgvNiWVcrH/UGzAnaPoASUpIQz G4MAnijta4BmUTqnLwOhxTTW+FZLk6qu =3QwD -----END PGP SIGNATURE-----
On 5/1/11 5:18 PM, Bill Davidsen wrote:
Gregory Hosler wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/25/2011 09:48 AM, Digimer wrote:
On 04/24/2011 09:46 PM, ssc1478 wrote:
Hi,
I'm new to Fedora - been using Ubuntu for years. I just installed Fedora 14 to my laptop and selected to encrypt /home.
When I boot, I have to enter the password for the encrypted directory. Did I set it up wrong? I didn't expect to have to enter the password at boot but instead thought the login password would be enough.
Thanks!
Phil
It encrypts the partition, so when the system tries to mount /etc/fstab partitions, of which /home is likely one, it requires the password then.
alternately, you can setup /etc/crypttab so that the password is not entered manually.
This adds no security at all from the encryption. The only reason to use encryption and then build in the pass phrase is to allow you to claim that the data was encrypted if you lose the machine, therefore giving you legal cover if the data you lost belongs to customers. I can't decide if that's a sleazy legal trick to provide cover without the effort to have security, or if it just shows how little the average user knows about security in the first place.
False security is worse than no security at all. Never store a passphrase on a readable device. It should be stored in the brain, just like passwords and such. BTW, this would never pass a security inspection at any of the places I've worked at.
James McKenzie
James McKenzie wrote:
On 5/1/11 5:18 PM, Bill Davidsen wrote:
Gregory Hosler wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/25/2011 09:48 AM, Digimer wrote:
On 04/24/2011 09:46 PM, ssc1478 wrote:
Hi,
I'm new to Fedora - been using Ubuntu for years. I just installed Fedora 14 to my laptop and selected to encrypt /home.
When I boot, I have to enter the password for the encrypted directory. Did I set it up wrong? I didn't expect to have to enter the password at boot but instead thought the login password would be enough.
Thanks!
Phil
It encrypts the partition, so when the system tries to mount /etc/fstab partitions, of which /home is likely one, it requires the password then.
alternately, you can setup /etc/crypttab so that the password is not entered manually.
This adds no security at all from the encryption. The only reason to use encryption and then build in the pass phrase is to allow you to claim that the data was encrypted if you lose the machine, therefore giving you legal cover if the data you lost belongs to customers. I can't decide if that's a sleazy legal trick to provide cover without the effort to have security, or if it just shows how little the average user knows about security in the first place.
False security is worse than no security at all. Never store a passphrase on a readable device. It should be stored in the brain, just like passwords and such. BTW, this would never pass a security inspection at any of the places I've worked at.
It satisfies legal requirements to encrypt sensitive data which is all the bean counters and lawyers care about. They are not required to actually protect your information. :-(
On 5/7/11 12:54 PM, Bill Davidsen wrote:
James McKenzie wrote:
On 5/1/11 5:18 PM, Bill Davidsen wrote:
Gregory Hosler wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/25/2011 09:48 AM, Digimer wrote:
On 04/24/2011 09:46 PM, ssc1478 wrote:
Hi,
I'm new to Fedora - been using Ubuntu for years. I just installed Fedora 14 to my laptop and selected to encrypt /home.
When I boot, I have to enter the password for the encrypted directory. Did I set it up wrong? I didn't expect to have to enter the password at boot but instead thought the login password would be enough.
Thanks!
Phil
It encrypts the partition, so when the system tries to mount /etc/fstab partitions, of which /home is likely one, it requires the password then.
alternately, you can setup /etc/crypttab so that the password is not entered manually.
This adds no security at all from the encryption. The only reason to use encryption and then build in the pass phrase is to allow you to claim that the data was encrypted if you lose the machine, therefore giving you legal cover if the data you lost belongs to customers. I can't decide if that's a sleazy legal trick to provide cover without the effort to have security, or if it just shows how little the average user knows about security in the first place.
False security is worse than no security at all. Never store a passphrase on a readable device. It should be stored in the brain, just like passwords and such. BTW, this would never pass a security inspection at any of the places I've worked at.
It satisfies legal requirements to encrypt sensitive data which is all the bean counters and lawyers care about. They are not required to actually protect your information. :-(
Not in the EU. There are legal requirements to safeguard information, to include encryption of 'data at rest' and 'data in transit'. Same for HIPPA and in the PCI world. This has gotten several companies in trouble.
James McKenzie
James McKenzie wrote:
On 5/7/11 12:54 PM, Bill Davidsen wrote:
James McKenzie wrote:
On 5/1/11 5:18 PM, Bill Davidsen wrote:
Gregory Hosler wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/25/2011 09:48 AM, Digimer wrote:
On 04/24/2011 09:46 PM, ssc1478 wrote: > Hi, > > I'm new to Fedora - been using Ubuntu for years. I just installed > Fedora 14 to my laptop and selected to encrypt /home. > > When I boot, I have to enter the password for the encrypted directory. > Did I set it up wrong? I didn't expect to have to enter the password > at boot but instead thought the login password would be enough. > > Thanks! > > Phil It encrypts the partition, so when the system tries to mount /etc/fstab partitions, of which /home is likely one, it requires the password then.
alternately, you can setup /etc/crypttab so that the password is not entered manually.
This adds no security at all from the encryption. The only reason to use encryption and then build in the pass phrase is to allow you to claim that the data was encrypted if you lose the machine, therefore giving you legal cover if the data you lost belongs to customers. I can't decide if that's a sleazy legal trick to provide cover without the effort to have security, or if it just shows how little the average user knows about security in the first place.
False security is worse than no security at all. Never store a passphrase on a readable device. It should be stored in the brain, just like passwords and such. BTW, this would never pass a security inspection at any of the places I've worked at.
It satisfies legal requirements to encrypt sensitive data which is all the bean counters and lawyers care about. They are not required to actually protect your information. :-(
Not in the EU. There are legal requirements to safeguard information, to include encryption of 'data at rest' and 'data in transit'. Same for HIPPA and in the PCI world. This has gotten several companies in trouble.
That's my point, encryption is required, keeping the key safe may not be spelled out in the law.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/25/2011 03:46 AM, ssc1478 wrote:
Hi,
I'm new to Fedora - been using Ubuntu for years. I just installed Fedora 14 to my laptop and selected to encrypt /home.
When I boot, I have to enter the password for the encrypted directory. Did I set it up wrong? I didn't expect to have to enter the password at boot but instead thought the login password would be enough.
Thanks!
Phil
Hey Phil, you might wanna have a look at cryptfsAuthConfig. It's a new feature in Fedora 15 (released today hurray :-) ) and allows you to decrypt and mount /home by entering your user password. Haven't looked in it yet and and I don't know how well it is working.
Here do you find further instructions
https://fedoraproject.org/wiki/Features/EcryptfsAuthConfig
On 05/24/2011 12:40 PM, Sebastian Rust wrote:
you might wanna have a look at cryptfsAuthConfig. It's a new feature in Fedora 15 (released today hurray :-) ) and allows you to decrypt and mount /home by entering your user password. Haven't looked in it yet and and I don't know how well it is working.
Right now, my login password is primarily protecting against attacks by a cat that finds my screensaver attractive and steps on the keyboard. It's a fairly short password that's no pain at all to type when I want to unlock the screen. Protection of sensitive data would require a much stronger passphrase, and having to type that every time I wanted to unlock the screen would be a nuisance. Anybody know of a way to configure the screensaver to accept something other than the (enhanced) login password?
-
Bill Davidsen -
Digimer -
Gregory Hosler -
James McKenzie -
Jan Willies -
Larry Brower -
laurence orchard -
Robert Nichols -
Sebastian Rust -
ssc1478 -
Steve Searle -
Tim