Re: Full Disk Encryption
On Sat, 26 Nov 2011 00:00:05 -0700
Bob Proulx <bob@proulx.com> wrote:
> J. Bakshi wrote:
> > I am always interested in Full disk encryption for my laptop ( i5 +
> > 3 GB ), but what makes me stop is the thinking of performance
> > lag. Recently I have seen an ububtu laptop ( i5 + 4 GB ) with full
> > disk encryption and it is performing normal, haven't found any
> > lag...
>
> I have been using full disk encryption on my 2004 T42 1.7GHz Pentium M
> with 1G ram without any significant performance issues. Before I
> installed it I benchmarked building various projects of mine both on
> an installation without encryption and then on an installation with
> encryption. I don't have the data from that handy now but I recall it
> being rather not a big deal. The safety of the encrypted disk was
> much more significant.
>
> That was on my old 1.7GHz Pentium M with 1G of ram. Any faster
> machine should perform better. Your i5 should blow it away on
> performance. I wouldn't have a concern at all.
>
> > So I am interested to give the FUD a try on my own laptop. How can I
> > proceed ? My laptop is debian wheezy with lots of important
> > data.. so backup is must.. but what next ? What configuration will
> > give me a better performance , LVM based or simple partition based ?
> > Presently excluding swap I have 3 reiserfs partition for / ; /home
> > and /movie ... no LVM. Like to hear some feedback from you guys..
>
> AFAIK you cannot hot-convert your system. You will need to create the
> filesystem fresh in order to have an encrypted filesystem. That
> obviously means that you should back up everything and offline
> someplace so that you can restore your files later. Because you can't
> convert them in place.
>
> But it also means that you have the same opportunity that I had.
> After backing everything up so that you can install a clean system you
> should install several different configurations and then benchmark
> each of those configurations. Keep track of the data so that you can
> compare the performance of each. Nothing is as powerful as an actual
> example with data.
>
> One configuration should be a fresh install with no encryption as a
> control. That should be your baseline peak performance configuration.
> One test case should use the smallest encryption key. One test case
> should use a large encryption key. (IIRC you have choices of AES 128,
> 196 and 256 bits or something like that.) Having data in your hand
> you won't need to believe FUD and can use the results you have
> determined. I am confident you won't have any reason not to use full
> disk encryption. There will be a performance hit but it provides
> safety that is unobtainable otherwise.
>
> The way I like to set up the system is to set up /boot in its own
> partition on /dev/sda1. Then set up the rest of the disk in /dev/sda5
> as a logical partition for an encrypted partition. Then use that
> encrypted partition for one large LVM volume. This includes swap.
> You definitely want to encrypt swap along with everything else. Only
> /boot is unencrypted so that it can ask you for the encryption key and
> then load the operating system. Everything else goes into a large lvm
> volume on a large encrypted partition. With only one encrypted
> partition it will ask you for the passphrase only once. (Some people
> make the mistake of creating many encrypted partitions and then get
> asked the passphrase for each and every one of them at boot time.
> Definitely not as friendly.)
>
> Then partition out space for swap and your choice of filesystem
> partition assignments. For my laptop I put everything in one large
> root partition. I am the sole user and it doesn't operate without me
> in attendance and therefore I know what is going on with it. (For a
> server I *always* split out /var and quite a few other partitions for
> a small of a root partition as possible and resizable partitions for
> dedicated applications.)
>
> Bob
Hello Bob,
Fell good to hear your experience.
Thanks for the config and tips ... I'm doing some more reading on it.
I am going for FDE soon :-)
many many thanks
Reply to: