Lines 197-202
Link Here
|
197 |
# (thanks to Mike Hommey for this example) |
197 |
# (thanks to Mike Hommey for this example) |
198 |
# volume test local - /tmpfs/test /home/test "size=10M,uid=test,gid=users,mode=0700 -t tmpfs" - - |
198 |
# volume test local - /tmpfs/test /home/test "size=10M,uid=test,gid=users,mode=0700 -t tmpfs" - - |
199 |
|
199 |
|
|
|
200 |
# BEGIN GENTOO EXAMPLES FOR ENCRYPTED HOME |
201 |
# user1 has an encrypted home that uses his/her system passwd as the |
202 |
# encryption key |
203 |
# To create a USB dongle secured user see user2: |
204 |
# Define a user key and group key to use a USB dongle as an encrypted |
205 |
# file system for the key to the user2 file system - so user would need |
206 |
# the USB dongle, the password for user key and the password for user |
207 |
# user2. in order to access the encrypted home of user2. Note that |
208 |
# without the first two the user can still log in and create files |
209 |
# on his home directory mount point. However the security for the |
210 |
# encrypted volume is much better since a dictionary attack would need |
211 |
# the dongle. See http://www.counterpane.com/twofish-final.html |
212 |
# for a discussion on why twofish is a good choice. This setup works |
213 |
# with mm-sources-2.6.0_beta9-r5. So to login graphically as user2 |
214 |
# insert key, ctrl-alt-f1 login as key, alt-f7, login as user2, |
215 |
# ctrl-alt-f1, logout key, remove dongle. This works for KDM. Modify |
216 |
# /etc/pam.d/login and /etc/pam.d/kde per docs |
217 |
#volume key local - /dev/sda2 /key loop,encryption=twofish - - |
218 |
#volume user1 local - /home/.user1 /home/user1 loop,encryption=twofish - - |
219 |
#volume user2 local - /home/.user2 - - bf-ecb /key/sp.key |
220 |
# /etc/fstab contains |
221 |
#/home/.user2 /home/user2 reiserfs user,loop,encryption=twofish,noauto 0 0 |
222 |
#/dev/sda2 /key ext2 user,loop,encryption=twofish,noauto 0 0 |
223 |
# |
224 |
# Device-Mapper based encryption (dm-crypt) |
225 |
# Since the introduction of dm-crypt in Linux 2.6.4, cryptoloop has been |
226 |
# deprecated. To use the new dm-crypt interface, you will have to adapt |
227 |
# the preceding examples to use "crypt" instead of "local" as filesystem |
228 |
# type. Additionally the cipher algorithm is specified via the "cipher" |
229 |
# option (to distinguish from cryptoloop's "encryption"). Thus, the |
230 |
# user1 example would look like this: |
231 |
#volume user1 crypt - /home/.user1 /home/user1 loop,cipher=twofish - - |
232 |
# An entry in /etc/fstab is not needed. A detailed HOWTO can be found in |
233 |
# the forums: http://forums.gentoo.org/viewtopic.php?t=274651 |
234 |
# Note that pam_mount is LUKS (http://luks.endorphin.org) aware. To |
235 |
# use luks, you need to have cryptsetup-luks (get it at |
236 |
# http://luks.endorphin.org/dm-cryp) installed. A config line would be |
237 |
#volume user1 crypt - /dev/yourpartition /yourmountpoint - - - |
238 |
# and cryptsetup will be told to read cypher/keysize/etc. from the luks-header. |
239 |
# END GENTOO EXAMPLES |
200 |
|
240 |
|
201 |
# Details: |
241 |
# Details: |
202 |
# Local user configuration (~/.pam_mount.conf) can extend this. |
242 |
# Local user configuration (~/.pam_mount.conf) can extend this. |