manjaro-architect icon indicating copy to clipboard operation
manjaro-architect copied to clipboard

Published 20 hours ago verified publisher icon Chrysostomus

Crypttab? Encrypted $HOME?

Open Chrysostomus opened this issue 8 years ago • 3 comments

There have been many mentions of something needing to be done with cryptab. Can you @oberon2007 explain a bit more about your idea for this?

I have little experience with encryption. Based on what I gather from arch wiki, cryptab is for decrypting partiotions other than / so that fstab can mount them.

The way I see it, encryption options are very complicated and personal issue, and we don't have default encryption setup. And there is no tool to easily generate crypttab that I know of. This being the case, it seems to me that scripting its generation might be out of scope for the installer. Correct me if I'm wrong, would be cool to have if there is existing tool for it. But the way I see it, we currently provide the tools that user needs to set it up themselves.

If we want to offer an easy option for encrypted $HOME, we could try setting up it via ecryptfs like ubuntu does. This was suggested by @torvic.

Chrysostomus avatar May 09 '17 12:05 Chrysostomus

Yes, that's exactly the situation. Currently even calamares apparently doesn't configure encrypted partitions properly. The problem right now is just that architect appears to offerall these encrypted partitions options but without manual configuration from user side you will end up with an unbootable install because the partitions to be mounted cannot be found...

oberon-manjaro avatar May 11 '17 10:05 oberon-manjaro

Okay, let's see what it would take... When mounting swap or custom partition, check if it is luks container (should be easy. Maybe separate check for swap, because it is different to encrypt. We could actually automate that maybe...). If so, ask user how it should be opened (keyfile or passphrase at boot). Save the option to temporary file and echo that to crypttab after base installation.

That seems actually quite doable. Especially if we are lazy and set some defaults (encrypt swap automatically with throwaway passphrase, require passphrase to decrypt custom partitions).

Chrysostomus avatar May 11 '17 10:05 Chrysostomus

I think there are few encryption setups that make sense:

  1. encrypted everything. I think we got this okay, could be improved with keyfile so user needs to insert their password only once.
  2. encrypted /home with Luks. This would need crypttab.
  3. encrypted $HOME with ecryptfs. Would allow decrypting while logging in with displaymanager and each user having separate encryption. Doesn't require crypttab, but might be more complex to script than crypttab. But would be a beginner friendly option.

With 2&3 swap should also be encrypted.

Chrysostomus avatar May 11 '17 10:05 Chrysostomus