Re: Full Disk Encryption

To: debian-user@lists.debian.org
Subject: Re: Full Disk Encryption
From: Aaron Toponce <aaron.toponce@gmail.com>
Date: Tue, 29 Nov 2011 00:23:10 -0700
Message-id: <[🔎] 20111129072310.GI2323@poseidon.cocyt.us>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20111126104529.7927b6f1@shiva.selfip.org>
References: <[🔎] 20111126104529.7927b6f1@shiva.selfip.org>

Because this is a subject near and dear to my heart, I feel the urge to
chime in.

On Sat, Nov 26, 2011 at 10:45:29AM +0530, J. Bakshi wrote:
> I am always interested in Full disk encryption for my laptop ( i5 + 3 GB ), but what makes me stop
> is the thinking of performance lag. Recently I have seen an ububtu laptop ( i5 + 4 GB ) with full
> disk encryption and it is performing normal, haven't found any lag...

I have done extensive benchmarking, and have found that you will have
different performance results, based on the cipher and key size that you
choose. ECB (electronic code block) out performs the other block ciphers,
but it suffers from a pattern attack [1]. As a result, when using a LUKS
formatted partition/volume with cryptsetup(8), I usually do the following:

    # dd if=/dev/urandom of=/path/to/device bs=4096
    # cryptsetup luksFormat -c aes -s 128 /path/to/device

The first step, obviously, it to fill the entire device with pseudorandom
data, so it is not clear where the encrypted filesystem starts and ends.
Then, I create the encrypted filesystem in the second step. Those options
have given me the best performance, with ~1-2% hit on reads, and ~5% hit on
writes.

    1. http://ae7.st/s/i.pr

> So I am interested to give the FUD a try on my own laptop. How can I proceed ? My laptop is debian wheezy
> with lots of important data.. so backup is must.. but what next ? What configuration will give me a better
> performance , LVM based or simple partition based ? Presently excluding swap I have 3 reiserfs partition for / ; /home
> and /movie ... no LVM. Like to hear some feedback from you guys..

LVM will add some additional overhead, but nothing more than ~2% hit for
writes. Usually, I'll setup my filesystem as follows:

    # dd if=/dev/urandom of=/path/to/device bs=4096
    # cryptsetup luksFormat -c aes -s 128 /path/to/device
    # cryptsetup luksOpen /path/to/device crypt-device
    # pvcreate /dev/mapper/crypt-device
    # vgcreate data /dev/mapper/crypt-device
    # lvcreate -l 100%FREE -n crypt-volume data
    # mkfs.ext4 /dev/mapper/crypt-volume
    # mount /dev/mapper/crypt-volume /mnt

At which point I can start copying data. If the device has already been
filled with pseudorandom or encrypted data, then there is no point in
running the dd(1) step.

Hope that helps.

--
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Full Disk Encryption
  - From: "J. Bakshi" <bakshi12@gmail.com>
- Re: Full Disk Encryption
  - From: Aaron Toponce <aaron.toponce@gmail.com>

References:
- Full Disk Encryption
  - From: "J. Bakshi" <bakshi12@gmail.com>

Prev by Date: Re: Re: Subversion in sid / QA page
Next by Date: Re: Full Disk Encryption
Previous by thread: Re: Full Disk Encryption
Next by thread: Re: Full Disk Encryption
Index(es):
- Date
- Thread