27.3. Encrypting Partitions and Files

27.3.1. Application Scenarios

Every user has some confidential data not intended to be accessible by third parties. The more connected and mobile you are, the more paranoid you should be handling your data. The encryption of files or of whole partitions is always sensible when third parties have access over a network connection or direct physical access. The following list features a few imaginable usage scenarios.


If you commute or travel with your laptop, it can be a very good idea to encrypt the partitions on the hard disk that contain confidential data. If you lose your laptop or it is stolen, your data is safe from access in an encrypted file system residing in a single file.

Removable Media

USB flash drives or external hard disks are as prone to being stolen as laptops. A encrypted file system offers protection against third parties in those cases.

27.3.2. Setting up a Crypto File System with YaST

YaST offers the encryption of files or partitions during installation as well as in an already installed system. An encrypted file can always be created, because it fits nicely in an existing partition layout. To encrypt an entire partition, you need to dedicate a partition for encryption in the partition layout. The standard partitioning proposal as suggested by YaST does not, by default, include an encrypted partition. Add it manually in the partitioning dialog. Creating an Encrypted Partition during Installation

[Warning]Password Input

Observe the warnings about password security when creating the password for encrypted partitions and memorize it well. Without the password, it is impossible to access the encrypted data.

The YaST expert dialog for partitioning, described in 1.5.5. “Expert Partitioning with YaST”, offers the options necessary for creating an encrypted partition. Click Create like when creating a regular partition. In the dialog that opens, enter partitioning parameters for the new partition, such as the desired formatting and the mount point. Complete the creating by clicking Encrypt File System. In the following dialog, set the password and repeat it for security reasons. The new encrypted partition is created after the partitioning dialog is completed by clicking OK. The operating system queries the user for that password while booting before the partition can be mounted.

If you do not want to mount the encrypted partition during start-up, hit Enter when prompted for the password. Then decline the offer to enter the password again. The encrypted file system is not mounted in this case and the operating system continues booting, which is the safer way of protecting your data. The partition is available to all users once it has been mounted.

If the encrypted file system should only be mounted when necessary, check Do Not Mount During Booting in the fstab Options dialog. The corresponding partition will not be considered for mounting during system start-up. To make it available afterwards, mount it manually with mount <name_of_partition> <mount_point>. Enter the password when prompted to mount the partition. When finished with the partition, unmount it with umount name_of_partition to keep it safe from access by other users. Creating an Encrypted Partition on a Running System

[Warning]Activating Encryption in a Running System

It is also possible to create encrypted partitions on a running system like during installation. However, encrypting an existing partition destroys all data on it.

On a running system, select System+Partitioning in the YaST control center. Click Yes to proceed. Instead of selecting Create, as mentioned above, click Edit. The rest of the procedure is the same. Installing Encrypted Files

As well as using a partition, it is possible to create encrypted file systems within single files for holding confidential data. These are created from the same YaST dialog. Select Crypt File and enter the path to the file to create along with its intended size. Accept the proposed settings for formatting and the file system type. Then specify the mount point and decide whether the crypto file system should be mounted during boot.

27.3.3. Encrypting the Content of Removable Media

Removable media, like external hard disks or USB flash drives, are recognized by YaST like any other hard disk. It is possible to encrypt files or partitions on such media by proceeding as described above. Do not select to mount these media during boot, because they are usually only connected while the system is running.