hi,

i'm new to linux. i have a centos 5.4 without desktop environment. i can only access certain system settings via browser (and of course console).

i would like to encrypt some folders. but these folders are used by the system. can i encrypt them? will the system still be able to access these folders? if yes, how can i encrypt only through console or is there something web based software for this?

thanks



// spyrest, I've moved your post to a new thread (in the future, please refrain from hijacking and/or resurrecting threads). --win32sux

What folders exactly do you want to encrypt, and why? We usually encrypt personal data, not system files. Why hide files that can be simply obtained elsewhere?

All my experience with encryption is cryptsetup+LUKS. It is possible to encrypt the root partition, but it is so complicated I decided not to do it, I just protected the personal data. Again: why bother with system files? There is nothing secret about them.

This link may be relevant:

http://en.opensuse.org/Encrypted_Root_File_System

@lucmove: There are definitely valid arguments for encrypting large parts of /var, and /etc. /tmp is likely to contain user specific information. So there is more to consider than encrypting just a users home directory.

I encrypt everything on my laptop, including the swap partition except for /boot which necessarily needs to remain in plain text form.

To encrypt /, then you either need to reinstall the OS, I'm pretty sure the CentOS installer supports encryption. I find the most convenient method is to create two partitions one for /boot and the other for a PV for LVM, encrypt the PV partition, then use LVM on top of that to create your swap, / and any other partitions you deem fit.

There is a second method, it requires downtime, but not a reinstall. I have documented it on these forums before, but it essentially involves these steps.

1) Boot using a Live CD
2) Mount existing partitions in the correct structure in /mnt
3) tar up /mnt and store safely
4) recreate your partition layout, manually setting up encryption and LVM
5) mount the new structure in /mnt
6) untar
7) mount --bind dev proc sys, and chroot into /mnt
8) configure /etc/crypttab, /etc/init, /boot/menu/grub.lst and possibly more depending on specific distro
9) reinstall grub
10) recreate initrd
11) reboot without the live cd.

I have found, especially when doing this for the first time with a different distro, that it may be necessary to repeat steps 1, 5, 7, 8, 10 and 11 a few times to get it right.

hi!

thanks for the tips. i would like to encrypt the root folder and /var/www/html/mywwwfolder because i'm a php programmer and i would like to keep my php files unaccessable. but i don't know if they will still be accessable via browser. or should i use other method to keep php files safe?

thanks

Ah, that changes everything. PHP won't be able to access the files it needs to run the website(s) if you encrypt them with anything "generic". You will have to use something that PHP understands. Something designed specifically to protect PHP source code. Maybe you could start looking for this:

http://www.google.com/search?num=20&...0encryption%22

You might as well ask that question in specific PHP forums. You're more likely to find useful answers there.

1 members found this post helpful.

thank you very much! i will look after what you said, but for example i have sensitive data in root folder. for example there is a .sh cron job with sensitive information in it. can i encrypt it without stopping it working? or if i encrypt it, will it stop working also?

thanks a lot!

If you choose to encrypt the whole partition, it will be unlocked when you boot, so everything will work just as if everything were not encrypted. Encrypted partitions are encrypted when they are "sleeping", i.e. not being used. When you use them, you unlock them first, so they are open. Think of them as safe boxes.

The alternative would be to encrypt files individually. That would surely prevent your cron job from working. The system/shell would try to run the job file/script and would not know what to do with it, because it would be encrypted.

We seem to be talking about a box that runs PHP and serves at least one Web site. In that case, you have to consider the kind of access you have to that box. If it is a rented remote server, I don't think you can encrypt its root partition. Maybe some staff can do it for you, but then they will have your password. If you have physical access to the box, then OK, you can encrypt partitions, even the root partition if that's necessary.

okay, thanks.

i have physical access, because it's my own server. so it seems to me that it would be the best to encrypt the whole partition. now. how can i do it without reinstalling the whole system? and the other thing: if the server is down and needs to be rebooted, do i have to go to it physically all the time to type in the encryption password? or can it be set up like when booting up, not to ask for the password, and when somebody would steal the hdd, and put it into another pc to access data (i mean not booting up from it, just as a storage), to ask for the password?

thanks a lot!

The only way to encrypt the root partition without reinstalling the system is by doing some data juggling:

- boot from a live CD and copy all the data from your root partition to another partition (or an external disk);

- shred (erase) all data in the root partition;

- encrypt the root partition, then create (format) a new file system on the encrypted volume;

- transfer all the data back into it.

The whole system will be back where it was, now on an encrypted partition. However, that partition is not bootable. You will have to edit some system files accordingly, still running from the boot CD.

As a starting point, you may read this thread, where I explain how to encrypt partitions. However, my method does not contemplate encrypting the root partition.

You could read this page for complementary information, but alas, they decided to take the page down for some reason. Sigh... You still can catch it in Google cache though. You may also want to check out other pages on that topic. This one looks good.

If the machine needs to be rebooted, someone has to be there to enter the password at boot. You can't do that remotely. Not that I know of! You can configure it to open automatically with a file key, but that pretty much defeats the entire purpose. Whoever boots that disk will have a disk that decrypts automatically, all the data will be exposed immediately. If someone tries to access the data on that partition without booting, yes, a password will be required because the partition will be encrypted and there won't be system files (/etc/crypttab) decrypting it automatically. But the risk is very high. If the thief decides to boot from that disk out of curiosity, if out of nothing else, he will have the partition decrypted automatically and instant access to all your treasures.

Good luck.

2 members found this post helpful.

thank you very very much!

for a certain level you are right about boot time password skip, but if you make your folders only readable by root for example, someone who decides to boot from the disk out of curiosity, will not be able to access data. so i think it would not be useless if such feature would exist in an encrypting software.

thanks again!

would it be a little bit easier if i would set up a mirror softraid? i would put in a hdd with an encrypted fs on it. would it be possible?

I have no experience with RAID. I hope someone else can help you with that.