Monday, September 9, 2013

Really basic intro to encrypted filesystems in openSUSE

When I was in high school in the 1980s, I was a total computer geek. (We called geeks "computer geeks" back then, because there used to be such a thing as a non-computer geek.) After high school, though, my life took a different direction, and for 20 years I was only a casual computer user. Only in 2009 did I start getting serious about getting back into the field. During those 20 years a lot of stuff happened in the IT field that I simply missed, and am now catching up on. One of those things is encrypted filesystems. Here's a really basic introduction to setting up and using one of these in openSUSE:

First, RTFM (see Reading List, below).

Second, set up the encrypted filesystem with Yast. I followed these instructions from the openSUSE 12.3 Security Guide:

So far, so good.

Third, mount the encrypted filesystem on a computer (the same one or a different one). For this, we use the cryptsetup and mount commands like so:
# cryptsetup luksOpen /dev/sdb1 foobar
[enter passphrase]
# mount /dev/mapper/foobar /mnt/foobar
In the above example, /dev/sdb1 is the device name assigned by udev and foobar is the mapping name. (Read the cryptsetup manpage for details.) A very straightforward way of determining the device name is the blkid command. For example, on one of my systems the output looks like this:
# blkid
/dev/sda1: UUID="396cff33-92df-4b1b-8cb0-7845cac9ce3a" TYPE="swap" 
/dev/sda2: UUID="c993ad9f-6ace-436e-a494-da510a304823" TYPE="ext4" 
/dev/sda3: UUID="ce63f32c-47b1-4400-931f-8bf7d38bdb45" TYPE="ext4" 
/dev/sdb1: UUID="86036694-0ff0-4d5e-8889-319b8158d574" TYPE="crypto_LUKS" 
/dev/sdb2: UUID="aa9e5e0f-42f7-433d-ba27-72ad361f5f40" TYPE="xfs" 
As you can easily see, in this case /dev/sdb1 is the only encrypted filesystem currently seen by the Linux kernel.

Fourth, unmount it when you're done:
# umount /dev/mapper/foobar
# cryptsetup remove foobar

Reading List


  1. How I did it: opened Yast, went to user management, went to my user, choose details, enable "encrypted home directory" and done. Never touched anything else ;-)

  2. Touching something is the whole idea :)