Bill Davidsen <davidsen@xxxxxxx> writes: > Marc Schwartz wrote: >> Rahul Sundaram <sundaram@xxxxxxxxxxxxxxxxx> writes: >> >>> Jan Welker wrote: >>>> Hi there, >>>> >>>> I created multiple encrypted partitions on my Fedora 9 system. All >>>> of them do have the same password. But I have to enter the password >>>> for each partition (all together 3 times). Is there a way to enter >>>> one password for all partitions since they are all the same? >>> Not yet. This is filed as a RFE at >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=446567 >>> >>> Rahul >> >> That has been an issue for a while, at least for me, under prior >> versions of Fedora using dm-crypt/luks. >> >> With F9, I took a different approach, which was to create a clear >> partition for /boot and then use LVM to create an encrypted partition group >> for everything else (eg. /, /home, etc.). >> >> Thus, I only get prompted once for the LUKS passphrase at boot. >> > I get prompted at boot, but I would have expected to be prompted when > the f/s was mounted. I wanted to have certain users in a secure f/s, > /home/secure/USER, where /home/secure was mounted with automount when > one of those users logged in. I won't say it can't work that way, just > that right now it doesn't. ;-) > > Otherwise FC9 looks acceptably smooth for a new release. By default, unless you have modified /etc/fstab to set 'noauto' on the relevant partitions, they will all be mounted at boot and you would be prompted at that time for the passphrase(s). I am working on about two hours of sleep, so forgive any incoherence here, but if you only want the partitions mounted when a user logs in and then unmounted when the user logs out, you will have to set the relevant entries in /etc/fstab to 'noauto' and modify the appropriate global scripts. You don't indicate if this is on a protected server or a physically accessible desktop or laptop. That would impact the 'global' approach that you take with respect to security. Keep in mind that appropriate access controls can restrict one user from accessing another user's home tree. That is easier to implement and manage if this is a protected server, where the user does not have physical access to the box. If this is a stand-alone desktop or laptop, where multiple users have physical access to the system or worse, can walk off with it or the HD, then you need to consider the practical requirements for creating encrypted partitions in this manner. I might consider setting up a primary home tree for each user with a SysAdmin based passphrase entered at boot. Then each user can log in to that primary home tree. Once logged in, if they need to encrypt files they can do so individually with something like PGP. If they need this to be 'transparent' as would otherwise be provided by dm-crypt/LUKS, you could set up separate user specific partitions, each with its own passphrase. These would be separate from the user's main tree in /home. You can then modify the user specific scripts in their home trees to mount and prompt them for the passphrase post-login and then clear and unmount it when they logout. Whatever you do, if you are the SysAdmin, I would be sure to add a second LUKS key to each of the user's partitions so that in the event of an emergency, you can access any data that you need, lest they hold you hostage over it. HTH, Marc Schwartz -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list