Re: Full Disk Encryption

To: debian-user@lists.debian.org
Subject: Re: Full Disk Encryption
From: "J. Bakshi" <bakshi12@gmail.com>
Date: Sat, 26 Nov 2011 13:04:29 +0530
Message-id: <[🔎] 20111126130429.5d24bdac@shiva.selfip.org>
In-reply-to: <[🔎] 20111126130024.4a40db69@shiva.selfip.org>
References: <[🔎] 20111126104529.7927b6f1@shiva.selfip.org> <[🔎] 20111126070005.GF20228@hysteria.proulx.com> <[🔎] 20111126130024.4a40db69@shiva.selfip.org>

On Sat, 26 Nov 2011 13:00:24 +0530
"J. Bakshi" <bakshi12@gmail.com> wrote:

> On Sat, 26 Nov 2011 00:00:05 -0700
> Bob Proulx <bob@proulx.com> wrote:
> 
> > J. Bakshi wrote:
> > > I am always interested in Full disk encryption for my laptop ( i5 +
> > > 3 GB ), but what makes me stop is the thinking of performance
> > > lag. Recently I have seen an ububtu laptop ( i5 + 4 GB ) with full
> > > disk encryption and it is performing normal, haven't found any
> > > lag...
> > 
> > I have been using full disk encryption on my 2004 T42 1.7GHz Pentium M
> > with 1G ram without any significant performance issues.  Before I
> > installed it I benchmarked building various projects of mine both on
> > an installation without encryption and then on an installation with
> > encryption.  I don't have the data from that handy now but I recall it
> > being rather not a big deal.  The safety of the encrypted disk was
> > much more significant.
> > 
> > That was on my old 1.7GHz Pentium M with 1G of ram.  Any faster
> > machine should perform better.  Your i5 should blow it away on
> > performance.  I wouldn't have a concern at all.
> > 
> > > So I am interested to give the FUD a try on my own laptop. How can I
> > > proceed ? My laptop is debian wheezy with lots of important
> > > data.. so backup is must.. but what next ? What configuration will
> > > give me a better performance , LVM based or simple partition based ?
> > > Presently excluding swap I have 3 reiserfs partition for / ; /home
> > > and /movie ... no LVM. Like to hear some feedback from you guys..
> > 
> > AFAIK you cannot hot-convert your system.  You will need to create the
> > filesystem fresh in order to have an encrypted filesystem.  That
> > obviously means that you should back up everything and offline
> > someplace so that you can restore your files later.  Because you can't
> > convert them in place.
> > 
> > But it also means that you have the same opportunity that I had.
> > After backing everything up so that you can install a clean system you
> > should install several different configurations and then benchmark
> > each of those configurations.  Keep track of the data so that you can
> > compare the performance of each.  Nothing is as powerful as an actual
> > example with data.
> > 
> > One configuration should be a fresh install with no encryption as a
> > control.  That should be your baseline peak performance configuration.
> > One test case should use the smallest encryption key.  One test case
> > should use a large encryption key.  (IIRC you have choices of AES 128,
> > 196 and 256 bits or something like that.)  Having data in your hand
> > you won't need to believe FUD and can use the results you have
> > determined.  I am confident you won't have any reason not to use full
> > disk encryption.  There will be a performance hit but it provides
> > safety that is unobtainable otherwise.
> > 
> > The way I like to set up the system is to set up /boot in its own
> > partition on /dev/sda1.  Then set up the rest of the disk in /dev/sda5
> > as a logical partition for an encrypted partition.  Then use that
> > encrypted partition for one large LVM volume.  This includes swap.
> > You definitely want to encrypt swap along with everything else.  Only
> > /boot is unencrypted so that it can ask you for the encryption key and
> > then load the operating system.  Everything else goes into a large lvm
> > volume on a large encrypted partition.  With only one encrypted
> > partition it will ask you for the passphrase only once.  (Some people
> > make the mistake of creating many encrypted partitions and then get
> > asked the passphrase for each and every one of them at boot time.
> > Definitely not as friendly.)
> > 
> > Then partition out space for swap and your choice of filesystem
> > partition assignments.  For my laptop I put everything in one large
> > root partition.  I am the sole user and it doesn't operate without me
> > in attendance and therefore I know what is going on with it.  (For a
> > server I *always* split out /var and quite a few other partitions for
> > a small of a root partition as possible and resizable partitions for
> > dedicated applications.)
> > 
> > Bob
> 
> 
> Hello Bob,
> 
> Fell good to hear your experience.
> Thanks for the config and tips ... I'm doing some more reading on it.
> I am going for FDE soon :-)
> 
> many many thanks

Forgot to mention: apache, mysql are also running... so don't know the performance hit
after full disk encryption

Reply to:

References:
- Full Disk Encryption
  - From: "J. Bakshi" <bakshi12@gmail.com>
- Re: Full Disk Encryption
  - From: Bob Proulx <bob@proulx.com>
- Re: Full Disk Encryption
  - From: "J. Bakshi" <bakshi12@gmail.com>

Prev by Date: Re: Full Disk Encryption
Next by Date: Re: No more desktop.
Previous by thread: Re: Full Disk Encryption
Next by thread: Re: Full Disk Encryption
Index(es):
- Date
- Thread