Linux: Creating and using an encrypted data partition

Encrypted disks and/or filesystems are nothing new on Linux; most distributions, these days, allow you to encrypt some or all your disk partitions, so that they can only be accessed with a password. In this tutorial, however, we’re going to add a new encrypted partition to an existing system, using only the command line. I’ve found that tutorials on the web seem to make this issue more complex than it actually is, so here’s mine — hopefully it’ll be easier than most.

In this guide, we’ll be making a few assumptions. First, as said above, it’ll be an existing system, to which we’ve just added a new disk, /dev/sdb . Adapt to your situation, of course. If you’re not using an entire disk, just create a new partition with fdisk (e.g. /dev/sdb1) and use it instead. Second, we’ll have the machine boot with the disk unmounted, then use a command to mount it (asking for a passphrase, of course), and another to dismount it when you don’t need it. The obvious usage of such a partition is for storing sensitive/private data, but theoretically, you could run software on it — as long as you don’t automatically attempt to start it on boot, and don’t mind keeping it mounted most or all of the time, which perhaps defeats its purpose: if it’s mounted, it’s accessible.

So, without further ado…

Continue reading “Linux: Creating and using an encrypted data partition”

Today I Learned: Unix / Linux groups can have passwords

(Welcome to a new section on ZurglToday I Learned. As the name suggests, it’s for sharing Linux-related things I’ve just learned, even though I’ve been using Linux for over 20 years. Some of them may well be pretty basic (just like the following one) and even well-known; still, the “fun” part is that I’ve been able to work as a Linux sysadmin for two decades and administer several personal servers and use it as a desktop from time to time, and still hadn’t had a need for this until now.)

Did you know groups (not users) can have passwords, too? By default they don’t, but the groupadd command has a “-p” option (that requires an already encrypted password, so you’d need to encrypt it first and pipe it there). There’s also a gpasswd command. And, yes, an /etc/gshadow file.

Supposedly, the purpose of group passwords is for users to be able to join a password-protected group with the newgrp command, as long as they enter the group password correctly. If the group doesn’t have a password, then only someone with root access can add a user to it.

(newgrp also allows a user to change their own primary group for the duration of a session, as long as it’s one of their supplementary groups.)