On Fri, 2010-01-08 at 05:26 -0600, Stan Hoeppner wrote:
> Never run encryption on swap. Doing so merely burdens performance. I
> even NSA, CIA, MI6 encrypt swap partitions on workstations.
This is completely contrary to the advice of the encryption folks. You
MUST encrypt swap in order for your system to be secure; otherwise
secrets in RAM may be recoverable from the swap partition.
The setup I've been using has 2 physical disks. Each disk has an boot
partition, a swap partition, and a big remaining partition.
I RAID (0 I think--simple mirroring--apparently anything fancier is
slower) the first and 3rd partitions.
The 3rd partition is all under LVM, and individual logical volumes
within it are encrypted (and fstab says to dynamically encrypt the
I do not RAID the swap (2nd partition), just to get more space (and
maybe it's faster).
I do encrypt the root partition, and I put encryption keys on it to
unlock the other partitions. This avoids having to enter pass-phrases
for every encrypted volume.
If you simply want to encrypt everything, it would be simpler to encrypt
the 3 partition and then run LVM on top of it, ie., bare disk : raid :
encryption: LVM physical volume : LVM logical volumes.
We have encountered one problem: when the first disk failed, we couldn't
boot off the second. I think it needs a different boot partition,
because mirroring the disk 1 paritition to disk 2 means that disk 2
still tries to boot off disk 1 when it starts.
I'm not clear if the differences are really limited the the MBR of the
disks, in which cases mirroring would still be OK. Not mirroring also
doesn't seem a great idea, since then disk 2 will get dated.
Anybody have any pointers about this?
I'm using grub, and got held up because the manual says (under the
if REAL_CONFIG_FILE is present and STAGE2_FILE is a Stage 1.5, then
the Stage 2 CONFIG_FILE is patched with the configuration file name
This seems to say that installation modifies the stage 2 (really, 1.5)
file, which I think is in the partition, not the MBR. That implies as
soon as I boot, RAID will blow the changes away.