Re: Advice on encrypted filesystem

To: debian-user@lists.debian.org
Subject: Re: Advice on encrypted filesystem
From: Michael Stone <mstone@debian.org>
Date: Fri, 26 Jun 2020 11:47:34 -0400
Message-id: <[🔎] a504961c-b7c3-11ea-9b6a-00163eeb5320@msgid.mathom.us>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20200626132549.GB3222@axis.corp>
References: <[🔎] 202006242128.38301.rhkramer@gmail.com> <[🔎] 20200625022055.GA2133@axis.corp> <[🔎] 202006250740.43599.rhkramer@gmail.com> <[🔎] 20200626132549.GB3222@axis.corp>

On Fri, Jun 26, 2020 at 08:25:49AM -0500, David Wright wrote:

If encrypting an entire disk, scramble the disk first, then partition.
If only encrypting a partition, partition the disk first.
Alignments should be at least 2M (4096 x 512B sectors).
Scramble any sensitive pre-existing contents:

# dd bs=1M if=/dev/urandom of=/dev/sdz[9]

I personally wouldn't do this. It's slow and doesn't gain much. Idefinitely wouldn't do it on an SSD.

# cryptsetup --align-payload 2048 luksFormat /dev/sdz9

I also would not add this align-payload option. (If you don't,cryptsetup will query the kernel for optimal parameters.)

Reply to:

Follow-Ups:
- Re: Advice on encrypted filesystem
  - From: David Wright <deblis@lionunicorn.co.uk>

References:
- Advice on encrypted filesystem
  - From: rhkramer@gmail.com
- Re: Advice on encrypted filesystem
  - From: David Wright <deblis@lionunicorn.co.uk>
- Re: Advice on encrypted filesystem
  - From: rhkramer@gmail.com
- Re: Advice on encrypted filesystem
  - From: David Wright <deblis@lionunicorn.co.uk>

Prev by Date: Re: I can't figure it out
Next by Date: Advice on hardware server to use for small a dedicated data center
Previous by thread: Re: Advice on encrypted filesystem
Next by thread: Re: Advice on encrypted filesystem
Index(es):
- Date
- Thread