Gordon Dexter on 10 Jan 2011 22:06:01 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Alternate /home (new topic)

On Mon, Jan 10, 2011 at 8:58 PM, K.S. Bhaskar <bhaskar@bhaskars.com> wrote:
2011/1/10 Art Alexion <art.alexion@gmail.com>:
> On Mon, Jan 10, 2011 at 1:29 PM, K.S. Bhaskar <bhaskar@bhaskars.com> wrote:
>> 2011/1/10 Art Alexion <art.alexion@gmail.com>:
>>> On Sun, Jan 9, 2011 at 2:09 PM, K.S. Bhaskar <bhaskar@bhaskars.com> wrote:
>>>> I always set up a system with two alternate root partitions.
>>>> Once I set up the initial root partition, I copy it over to another
>>>> partition mounted as /spare.  Getting it to mount requires some minor
>>>> editing of /etc/fstab and grub setup.  Each mounts the other as
>>>> /spare.  I confirm that I can boot both.  Then I boot the alternate
>>>> root only occasionally, just to verify that it's still sound.  Now, if
>>>> I have some software updates go awry, or a version upgrade that fails,
>>>> I just switch to the alternate root (and as likely as not make it my
>>>> main root and recreate the original root from it).
>>>> I always set up an encrypted /home.  But I configure my PC so that I
>>>> can login without /home mounted.  When I cross an international border
>>>> with my laptop, I always cross it with the laptop powered down.  Then
>>>> if I am asked to boot it, I boot it, and can login - but it will be an
>>>> innocuous /home, not my real /home (not that I have ever been asked to
>>>> boot my laptop - just a sensible precaution, IMHO).  To mount the
>>>> encrypted /home, I login as root and run a shell script:
>>>> In these days of monster disks, I usually have the fourth partition
>>>> mounted as /extra from both roots.  I use this for anything that I am
>>>> working on that doesn't need to be encrypted (e.g., since the software
>>>> I work with, GT.M, is FOSS, I don't need an encrypted development
>>>> environment for it.
>>> I really like this idea.  I understand that your shell script switches
>>> between homes, but how did you set it up in the first place?
>> [KSB] Art, I don't quite understand the question.  Are you asking how
>> I initially create a /home?  Or how I mount /home when I boot the
>> laptop?
> I guess I am trying to understand the setup.  Is is simply a matter of
> multiple homes associated with multiple users, one innocuous, and the
> important one encrypted, or is it more than that?

[KSB2] Yes, that's all there is to it!  A /home with innocuous home
directories and an encrypted /home with "real" home directories.  It
won't fool an expert for more than thirty seconds, but that's not my
intent (if I had data that I really wanted to hide, I wouldn't carry
it with me in the first place).  The most likely scenario is being
asked to boot my laptop at a border somewhere for a cursory
examination, and I expect that my scheme will get me past that sort of

-- Bhaskar

Windows does to computers what smoking does to humans
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

My Eee 901 has a similar setup.  The /home partition is encrypted, but using a simple dm_crypt rather than luks, so entering the wrong password just makes it silently fail to mount the home partition, but it boots normally otherwise.  I even have it set to auto-login as my user.  If they ask me to log in I can just type in any old thing and it will show them a desktop without my personal files being revealed.  Borders aren't my primary concern actually; the real reason for this setup is so if somebody steals the laptop they will be able to use it enough to join a wireless network and let the laptop phone home (I posted about that subject previously).


Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug