Re: Full Disk Encryption

To: debian-user@lists.debian.org
Subject: Re: Full Disk Encryption
From: "J. Bakshi" <bakshi12@gmail.com>
Date: Tue, 29 Nov 2011 13:06:57 +0530
Message-id: <[🔎] 20111129130657.037abae2@shiva.selfip.org>
In-reply-to: <[🔎] 20111129072310.GI2323@poseidon.cocyt.us>
References: <[🔎] 20111126104529.7927b6f1@shiva.selfip.org> <[🔎] 20111129072310.GI2323@poseidon.cocyt.us>

On Tue, 29 Nov 2011 00:23:10 -0700
Aaron Toponce <aaron.toponce@gmail.com> wrote:

> Because this is a subject near and dear to my heart, I feel the urge to
> chime in.
> 
> On Sat, Nov 26, 2011 at 10:45:29AM +0530, J. Bakshi wrote:
> > I am always interested in Full disk encryption for my laptop ( i5 + 3 GB ), but what makes me stop
> > is the thinking of performance lag. Recently I have seen an ububtu laptop ( i5 + 4 GB ) with full
> > disk encryption and it is performing normal, haven't found any lag...
> 
> I have done extensive benchmarking, and have found that you will have
> different performance results, based on the cipher and key size that you
> choose. ECB (electronic code block) out performs the other block ciphers,
> but it suffers from a pattern attack [1]. As a result, when using a LUKS
> formatted partition/volume with cryptsetup(8), I usually do the following:
> 
>     # dd if=/dev/urandom of=/path/to/device bs=4096
>     # cryptsetup luksFormat -c aes -s 128 /path/to/device
> 
> The first step, obviously, it to fill the entire device with pseudorandom
> data, so it is not clear where the encrypted filesystem starts and ends.
> Then, I create the encrypted filesystem in the second step. Those options
> have given me the best performance, with ~1-2% hit on reads, and ~5% hit on
> writes.
> 
>     1. http://ae7.st/s/i.pr
> 
> > So I am interested to give the FUD a try on my own laptop. How can I proceed ? My laptop is debian wheezy
> > with lots of important data.. so backup is must.. but what next ? What configuration will give me a better
> > performance , LVM based or simple partition based ? Presently excluding swap I have 3 reiserfs partition for / ; /home
> > and /movie ... no LVM. Like to hear some feedback from you guys..
> 
> LVM will add some additional overhead, but nothing more than ~2% hit for
> writes. Usually, I'll setup my filesystem as follows:
> 
>     # dd if=/dev/urandom of=/path/to/device bs=4096
>     # cryptsetup luksFormat -c aes -s 128 /path/to/device
>     # cryptsetup luksOpen /path/to/device crypt-device
>     # pvcreate /dev/mapper/crypt-device
>     # vgcreate data /dev/mapper/crypt-device
>     # lvcreate -l 100%FREE -n crypt-volume data
>     # mkfs.ext4 /dev/mapper/crypt-volume
>     # mount /dev/mapper/crypt-volume /mnt
> 
> At which point I can start copying data. If the device has already been
> filled with pseudorandom or encrypted data, then there is no point in
> running the dd(1) step.
> 
> Hope that helps.
> 

Thanks for sharing

Reply to:

References:
- Full Disk Encryption
  - From: "J. Bakshi" <bakshi12@gmail.com>
- Re: Full Disk Encryption
  - From: Aaron Toponce <aaron.toponce@gmail.com>

Prev by Date: Re: Full Disk Encryption
Next by Date: New Base Install Squeeze - No Reboot cmd
Previous by thread: Re: Full Disk Encryption
Next by thread: Re: Full Disk Encryption
Index(es):
- Date
- Thread