|
Lines 197-202
Link Here
|
| 197 |
# (thanks to Mike Hommey for this example) |
197 |
# (thanks to Mike Hommey for this example) |
| 198 |
# volume test local - /tmpfs/test /home/test "size=10M,uid=test,gid=users,mode=0700 -t tmpfs" - - |
198 |
# volume test local - /tmpfs/test /home/test "size=10M,uid=test,gid=users,mode=0700 -t tmpfs" - - |
| 199 |
|
199 |
|
|
|
200 |
# BEGIN GENTOO EXAMPLES FOR ENCRYPTED HOME |
| 201 |
# user1 has an encrypted home that uses his/her system passwd as the |
| 202 |
# encryption key |
| 203 |
# To create a USB dongle secured user see user2: |
| 204 |
# Define a user key and group key to use a USB dongle as an encrypted |
| 205 |
# file system for the key to the user2 file system - so user would need |
| 206 |
# the USB dongle, the password for user key and the password for user |
| 207 |
# user2. in order to access the encrypted home of user2. Note that |
| 208 |
# without the first two the user can still log in and create files |
| 209 |
# on his home directory mount point. However the security for the |
| 210 |
# encrypted volume is much better since a dictionary attack would need |
| 211 |
# the dongle. See http://www.counterpane.com/twofish-final.html |
| 212 |
# for a discussion on why twofish is a good choice. This setup works |
| 213 |
# with mm-sources-2.6.0_beta9-r5. So to login graphically as user2 |
| 214 |
# insert key, ctrl-alt-f1 login as key, alt-f7, login as user2, |
| 215 |
# ctrl-alt-f1, logout key, remove dongle. This works for KDM. Modify |
| 216 |
# /etc/pam.d/login and /etc/pam.d/kde per docs |
| 217 |
#volume key local - /dev/sda2 /key loop,encryption=twofish - - |
| 218 |
#volume user1 local - /home/.user1 /home/user1 loop,encryption=twofish - - |
| 219 |
#volume user2 local - /home/.user2 - - bf-ecb /key/sp.key |
| 220 |
# /etc/fstab contains |
| 221 |
#/home/.user2 /home/user2 reiserfs user,loop,encryption=twofish,noauto 0 0 |
| 222 |
#/dev/sda2 /key ext2 user,loop,encryption=twofish,noauto 0 0 |
| 223 |
# |
| 224 |
# Device-Mapper based encryption (dm-crypt) |
| 225 |
# Since the introduction of dm-crypt in Linux 2.6.4, cryptoloop has been |
| 226 |
# deprecated. To use the new dm-crypt interface, you will have to adapt |
| 227 |
# the preceding examples to use "crypt" instead of "local" as filesystem |
| 228 |
# type. Additionally the cipher algorithm is specified via the "cipher" |
| 229 |
# option (to distinguish from cryptoloop's "encryption"). Thus, the |
| 230 |
# user1 example would look like this: |
| 231 |
#volume user1 crypt - /home/.user1 /home/user1 loop,cipher=twofish - - |
| 232 |
# An entry in /etc/fstab is not needed. A detailed HOWTO can be found in |
| 233 |
# the forums: http://forums.gentoo.org/viewtopic.php?t=274651 |
| 234 |
# Note that pam_mount is LUKS (http://luks.endorphin.org) aware. To |
| 235 |
# use luks, you need to have cryptsetup-luks (get it at |
| 236 |
# http://luks.endorphin.org/dm-cryp) installed. A config line would be |
| 237 |
#volume user1 crypt - /dev/yourpartition /yourmountpoint - - - |
| 238 |
# and cryptsetup will be told to read cypher/keysize/etc. from the luks-header. |
| 239 |
# END GENTOO EXAMPLES |
| 200 |
|
240 |
|
| 201 |
# Details: |
241 |
# Details: |
| 202 |
# Local user configuration (~/.pam_mount.conf) can extend this. |
242 |
# Local user configuration (~/.pam_mount.conf) can extend this. |
