Re: Advice on encryption of external disk

To: Celejar <celejar@gmail.com>, debian-user <debian-user@lists.debian.org>
Subject: Re: Advice on encryption of external disk
From: Florent Peterschmitt <florent@peterschmitt.fr>
Date: Wed, 04 Feb 2015 16:36:16 +0100
Message-id: <[🔎] 54D23C70.3060208@peterschmitt.fr>
In-reply-to: <[🔎] 20150204082043.a80fbcb111ca2a4d4b833c12@gmail.com>
References: <[🔎] 20150204082043.a80fbcb111ca2a4d4b833c12@gmail.com>

On 02/04/2015 02:20 PM, Celejar wrote:
> Hi,
> 
> I am preparing a USB external HDD for use with my T61 ThinkPad (Core 2
> Duo CPU T7300 @ 2.00GHz). The disk will fulfill two, very different
> functions: general backup for files (mail, documents, etc.) via
> rsnapshot (rsync type backup), and overflow storage for my full main
> HDD ("big" files such as media: audio, video, PDFs).
> 
> For the backups, I need encryption; the media storage doesn't require
> it. Currently, I use different partitions on my external disks: plain
> for storage, and encrypted (dmcrypt / LUKS) for the backups (and
> storage of sensitive information). This obviously adds complexity, so
> I'm thinking of going to one encrypted partition for everything. The
> obvious possible downside is performance: everything I read indicates
> that there is a significant hit, even on modern hardware, but I don't
> really know if it's current, accurate, or relevant to my use case.
> 
> What would the experts recommend: one partition for everything for
> simplicity, or separate ones for a possible performance advantage?
> 
> Celejar
> 
> 

Hello,

Personaly, I use full encryption and each partition is on a logical
volume, with LVM physical volume encrypted.

Say I have /dev/sda2 of 100GB, it is encrypted with luks.

I open this luks volume and setup LVM with pvcreate on
/dev/mapper/luks_sda2, then create my LV.

About performance downside, if you have a recent processor with aesni
instructions (for intel, dunno for AMD but they have the same feature
too), the Linux kernel does have a module to handle hardware encryption,
which speeds up the job.

But, in both cases (with or without instructions), you will not really
notice any difference even with a quite old processor, like core i2. You
may find it a little slower at machine's first boot. If we speak about
Desktop computers. Never tried to setup encryption on loaded servers.

Also, I dont really understand why you want to do "half encryption".
Only backups and not other things? Sounds strange to me.

But you're free to do so of course.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Advice on encryption of external disk
  - From: Jochen Spieker <ml@well-adjusted.de>
- Re: Advice on encryption of external disk
  - From: Celejar <celejar@gmail.com>

References:
- Advice on encryption of external disk
  - From: Celejar <celejar@gmail.com>

Prev by Date: Re: ifupdown is not installed by preseed, while iproute2 is installed
Next by Date: Re: 3rd new wheezy install
Previous by thread: Advice on encryption of external disk
Next by thread: Re: Advice on encryption of external disk
Index(es):
- Date
- Thread