Protecting Data with Encrypted Linux Partitions - page 4
The Inevitable Whoopsie
So far so good! But there is one big problem: only root can access this partition. We need our ordinary user to be able to use it. This virtual partition can be managed in
/etc/fstab, just like any other partition. So add a line to
/etc/fstab to allow an unprivileged user to mount and unmount the partition:
/dev/mapper/sda2 /home/carla/crypted ext3 user,atime,noauto,rw,dev,exec,suid 0 0
Now Carla can mount it herself:
$ mount ~/crypted
But Carla still cannot write to it. For this we need rootly powers one more time, to put the correct ownership and permissions on the mounted block device:
# chown carla:carla /home/carla/crypted/ # chmod 0700 /home/carla/crypted/
Ok then, that's a lot of Carlas! But now Carla has her own encrypted directory to read and write to just like any other directory in her home directory, and no one else can touch it.
You may unmount and shut off the encrypted partition manually like this:
$ umount crypted # cryptsetup luksClose sda2
You'll need your LUKS password only when you open the encrypted device. Remember, if you lose this password you are toast. You may delete the partition and start over, but your data are unrecoverable. Once the encrypted device is open and mounted, you may use it like any other partition.
You need root powers to run
cryptsetup. This is probably not ideal for your users. There are a number of different ways to handle this. One is to use
sudo; *buntu users are already set up with an all-powerful
sudo. Another option is to configure it to start up at boot, and close at shutdown. Or you might want to create some nice desktop icons so your users can start it up and shut it down easily on demand.
We'll learn how to do these things next week, plus we'll learn how to encrypt USB keys, and how to set up a failsafe for a lost passphrase.
This article originally appeared on Enterprise Networking Planet, a JupiterWeb site.