[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OS and file system encryption

Jochen Schulz wrote:
> Jochen Schulz:
>   
>> Tigran Varosyan:
>>     
>>> I have read the Linux has software available that can encrypt the OS and the
>>> file system to a degree that even with physical access to the HD, the data
>>> cannot be extracted. I was told that this slows the systems down quite a bit
>>> but that is it very functional. This sounds like interesting technology and
>>> I would like to experiment with it.
>> I didn't try it myself, but I think the most popular solution is
>> dmcrypt, which allows you to encrypt everything, even your root and swap
>> partition.
> To be precise, the package you are probably looking for is cryptsetup,
> which is a set of scripts which make it easy to set up dm-crypt.

My home desktop system has almost all encrypted filesystems (/, /home,
swap, and an external usb drive); the only unencrypted partition is a
small /boot partition containing the kernels and initial ramdisks needed
to boot the system. I used the cryptsetup package to configure the
encrypted disks, mostly following the directions in
/usr/share/doc/cryptsetup/CryptoRoot.HowTo.

I would not recommend this procedure to someone without at least a year
or two of experience administering Debian systems. Additionally, I would
suggest becoming familiar with dm-crypt itself, and with the general
ideas behind encrypted block devices before proceeding.

As for the speed... in all cases, I am using twofish with a 256-bit key,
via the dm-crypt system. The slowdown is definitely measurable, but it
is not as large as one might expect:
> debian:/home/cmr# hdparm -t /dev/hde1
>
> /dev/hde1:
>  Timing buffered disk reads:  174 MB in  3.01 seconds =  57.76 MB/sec
>
> debian:/home/cmr# hdparm -t /dev/mapper/home
>
> /dev/mapper/home:
>  Timing buffered disk reads:  110 MB in  3.06 seconds =  35.91 MB/sec
(On my system, /dev/hde is a two-disk hardware RAID 1 of ATA disks (not
SATA))

This is something you would probably want to do as part of the initial
installation of the system. Because the howto included with cryptsetup
is based on installing the base system and then copying it to another
partition, you'll need to think carefully about your partitioning. My
solution was to set aside a partition that I would later use as swap,
and install that as the root filesystem. Then, once I had configured all
the encrypted devices and copied the root filesystem over, I wiped the
old (unencrypted) root filesystem and designated it as a swap partition.

In my experience, yaird worked best for generating the initial ramdisks,
and linux-image-2.6.13-1-k8-amd64 was the first Debian kernel that I got
working with this setup. It's worked fine for me up through 2.6.16.

Another thing to consider carefully is your recovery environment. A lot
of folks were hit by a bug in a particular version of yaird that
generated kernels that would not boot for many systems; make sure you
have a liveCD that will support dm-crypt, any ciphers you choose, and is
capable of executing your installed binaries inside a chroot (so you can
regenerate the initrd's when they break). It's annoying enough to have
to recover a system from a LiveCD; you don't want to be tearing your
hair out over encryption at the same time :-)


Hope this helps -- best of luck.

cmr
Reply to: