It is possible (at least on my systems) to remove gvfs. Why do this? Well it doesn’t do anything useful for me, and it does leave processes lying around after logout. One time it even held open files on a USB drive, which is a real pest when you want to remove it.
Getting rid of gvfs turned out to be really easy. Nothing I use depends on it, although there are some optional dependencies. Nothing I’ve been used to has stopped working, either.
Now if I can get rid of those other non-dying processes…
Posted on Monday, December 5, 2016
Disk Encryption in Linux
My experiment with FreeBSD is over. It just wasn’t worth the bother. FreeBSD is good, but I don’t need to muck about with USB drive mounting (what? In 2016?) layers of compatibility code, and the like. But the final straw was attempting to install TeX and finding that the packaging such that I had to install either not enough to get the job done, or way too much (ie a massive download). So I’m back to Linux.
I set up my little EeePC with an encrypted /home partition in order to keep things somewhat secure in case I lose the thing. Earlier I mentioned how easy this was in FreeBSD. It’s not much different in Linux.
I went the dm-crypt route, as it’s the most straightforward of the options. First, set up the encryption:
# cryptsetup luksFormat /dev/sd??
You get asked for a password, and it’s all done. Next you get the encryption/decryption going.
# cryptsetup open /dev/sd?? home
Finally, create a filesystem.
# mkfs.btrfs /dev/mapper/home
Then you fill in /etc/crypttab with the appropriate data to get the partition unlocked at boot time. In my case, I added the following line:
home UUID=<the uuid of the partition> none
The ‘none’ tells dm-crypt to prompt for a password, which happens at boot. And then you’re done! Obviously you still need to add the encrypted filesystem to /etc/fstab to get it mounted, though.
Posted on Wednesday, April 27, 2016
FreeBSD Disk Encryption
As part of my migration to FreeBSD, I decided I’d better set up disk encryption from the get-go. I’m not too worried about encrypting the software, I’m more worried about someone getting hold of my laptop in a powered-off state and trawling my personal data for interesting tidbits, like passwords. The most worrying are email passwords, which are stored in plaintext (or near enough to it) by both claws-mail and pidgin. But it’s also quite useful to have emails and other documents protected too.
Setting this up proved to be ridiculously easy. I chose not to use a keyfile, but just encrypt the partition with a password. I’m not feeling totally paranoid.
First you initialise a geli-encrypted partition, protected by a password:
# geli init -s 4096 /dev/ada0p3
This initialises the partition with a block size of 4kB. Geli asks for a password.
Then you get geli to create a new device file, based on the encrypted partition, that’s unencrypted and upon which a normal filesystem can be created.
# geli attach /dev/ada0p3
Geli asks for the password at this point, and creates
/dev/ada0p3.eli, which can be used as the device file for creating a new filesystem.
# newfs /dev/ada0p3.eli
Create a filsystem on the encrypted device, and you’re done.
FreeBSD is smart enough to attach geli-encrypted partitions at boot time, so halfway through the boot process the machine stops and waits for you to enter the password to decrypt the partition.
Posted on Wednesday, March 16, 2016