J. Bakshi wrote: > I am always interested in Full disk encryption for my laptop ( i5 + > 3 GB ), but what makes me stop is the thinking of performance > lag. Recently I have seen an ububtu laptop ( i5 + 4 GB ) with full > disk encryption and it is performing normal, haven't found any > lag... I have been using full disk encryption on my 2004 T42 1.7GHz Pentium M with 1G ram without any significant performance issues. Before I installed it I benchmarked building various projects of mine both on an installation without encryption and then on an installation with encryption. I don't have the data from that handy now but I recall it being rather not a big deal. The safety of the encrypted disk was much more significant. That was on my old 1.7GHz Pentium M with 1G of ram. Any faster machine should perform better. Your i5 should blow it away on performance. I wouldn't have a concern at all. > So I am interested to give the FUD a try on my own laptop. How can I > proceed ? My laptop is debian wheezy with lots of important > data.. so backup is must.. but what next ? What configuration will > give me a better performance , LVM based or simple partition based ? > Presently excluding swap I have 3 reiserfs partition for / ; /home > and /movie ... no LVM. Like to hear some feedback from you guys.. AFAIK you cannot hot-convert your system. You will need to create the filesystem fresh in order to have an encrypted filesystem. That obviously means that you should back up everything and offline someplace so that you can restore your files later. Because you can't convert them in place. But it also means that you have the same opportunity that I had. After backing everything up so that you can install a clean system you should install several different configurations and then benchmark each of those configurations. Keep track of the data so that you can compare the performance of each. Nothing is as powerful as an actual example with data. One configuration should be a fresh install with no encryption as a control. That should be your baseline peak performance configuration. One test case should use the smallest encryption key. One test case should use a large encryption key. (IIRC you have choices of AES 128, 196 and 256 bits or something like that.) Having data in your hand you won't need to believe FUD and can use the results you have determined. I am confident you won't have any reason not to use full disk encryption. There will be a performance hit but it provides safety that is unobtainable otherwise. The way I like to set up the system is to set up /boot in its own partition on /dev/sda1. Then set up the rest of the disk in /dev/sda5 as a logical partition for an encrypted partition. Then use that encrypted partition for one large LVM volume. This includes swap. You definitely want to encrypt swap along with everything else. Only /boot is unencrypted so that it can ask you for the encryption key and then load the operating system. Everything else goes into a large lvm volume on a large encrypted partition. With only one encrypted partition it will ask you for the passphrase only once. (Some people make the mistake of creating many encrypted partitions and then get asked the passphrase for each and every one of them at boot time. Definitely not as friendly.) Then partition out space for swap and your choice of filesystem partition assignments. For my laptop I put everything in one large root partition. I am the sole user and it doesn't operate without me in attendance and therefore I know what is going on with it. (For a server I *always* split out /var and quite a few other partitions for a small of a root partition as possible and resizable partitions for dedicated applications.) Bob
Attachment:
signature.asc
Description: Digital signature