Re: LVM+RAID+CRYPT
2010/1/8 Γιώργος Πάλλας <gpall@ccf.auth.gr>:
> Stan Hoeppner wrote:
>>
>> Sjors van der Pluijm put forth on 1/8/2010 5:13 AM:
>>
>>
>>>
>>> 3. Is it ok to have swap and /boot on an encrypted LVM?
>>>
>>
>> Never run encryption on swap. Doing so merely burdens performance. I
>> doubt
>> even NSA, CIA, MI6 encrypt swap partitions on workstations.
>>
>> I've never tried to boot from an encrypted /boot, so I really can't say if
>> it
>> would work or not. Why can't/won't you create 3 partitions?
>>
>> [boot] 100MB mounted as /boot normal ext2
>> [swap] 1-8GB mounted as normal swap partition
>> [root] [remaining space] mounted as /root and encrypted however you like
>>
>
> I run a couple of identical machines, some with full disk encryption (i.e.
> everything including swap except /boot which you cannot encrypt) and some
> where only home is encrypted with LUKS. Never noticed any performance
> impact. I think that swap encryption is *mandatory* for the reason of there
> being written many things that shouldn't in case they are sensitive. And I
> guess this why the approach of the debian installer should you choose to
> encrypt includes swap encryption.
>
> G.
>
I second most opinions here.
Mainly: NEVER leave swap unencrypted if encryption is for security
(i.e. anything more than just playing around with encryption) as any
data that's on your computer RAM might at some point be written to the
swap space and that has
Also, I would not leave / (root) unencrypted as that might hold
sensitive information too. In my work laptop I have custom entries in
/etc/hosts, I also have an apache/php setup that holds company info,
etc.
The recommended setup to encrypt everything but /boot is good and I
could not perceive any performance degradation (even though I'm sure
there must be some, it is not something that gets in my way).
Cheers,
Cassiano Leal
Reply to: