You are not logged in.
- Topics: Active | Unanswered
#1 2009-02-15 05:26:44
- Ranguvar
- Member
- Registered: 2008-08-12
- Posts: 2,549
Encryption (Filenames/metadata, what to encrypt, resizing)
I've already decided to use an unencrypted root, either loop-aes or LUKS/dm-crypt to encrypt my swap (I will benchmark to decide), loop-aes/EncFS/LUKS to encrypt /tmp (or I will use tmpfs, since I have 6GB of RAM... any opinions?), and either LUKS, loop-aes, or TrueCrypt for my personal /home. /var/tmp will be an EncFS.
First, as mentioned above, any advice from those with experience on making a separate /tmp to encrypt with traditional methods vs. using tmpfs for /tmp (6GB RAM)? What kinds of operations use /tmp the most (I know optical disc writing does) (this will help to benchmark with/without tmpfs), and to what extent? Same questions for /var/tmp? I know tmpfs will automatically move lesser-used stuff to swap instead of main RAM - does it do this well, and does it adjust how much it does that depending on how much free RAM there is?
Second, I know TrueCrypt will encrypt filesystem metadata (the important thing being file names), and EncFS does since late last year. I'm pretty sure LUKS/dm-crypt and loop-aes also do, but I'm not 100% sure. Is anyone certain they do?
Third, any comments on how I've decided to set up my system? Are there any places I'm missing to encrypt?
And fourth, any info on resizing any of the above encryption setups (on block devices on LVM) would be very much appreciated.
Thanks!!
NOTE: I'm also considering just encrypting everything except probably /usr... it would be simpler, that's for sure. We'll have to see what the damage is in terms of speed.
NOTE 2: I will definitely post my results so others can see when I'm done. I will be running the benchmarks on both a quad-core with 7,200rpm hard drives and an elderly ThinkPad with a Pentium M Banias and a 5,400rpm drive. I'll also do a few quick benches to see whether the differences between file system change when encryption is used.... this'll be "fun".
I'm also asking these questions here, for any reading this that are also interested.
Offline
#2 2009-02-17 07:28:47
- Ranguvar
- Member
- Registered: 2008-08-12
- Posts: 2,549
Re: Encryption (Filenames/metadata, what to encrypt, resizing)
Bump of life.
Offline
#3 2009-02-17 08:41:13
- zyghom
- Member
- From: Poland/currently Africa
- Registered: 2006-05-11
- Posts: 432
- Website
Re: Encryption (Filenames/metadata, what to encrypt, resizing)
how do you want to see the filenames on encrypted Luks partition ? you are not going to mount it without proper passphrase
I use it on /home and swap - not needed no / anyway
no speed/performance issues to be noticed
Zygfryd Homonto
Offline
#4 2009-02-17 20:12:33
- Ranguvar
- Member
- Registered: 2008-08-12
- Posts: 2,549
Re: Encryption (Filenames/metadata, what to encrypt, resizing)
If someone takes it, puts it into another computer, and looks at each sector.
I know some encryption methods don't encrypt filesystem metadata, which means filenames, permissions, etc.. eCryptfs didn't until recently, for example. I know TrueCrypt does, but I'm not 100% sure that LUKS and Loop-AES work.
And to you, I recommend you find a way to encrypt /var/tmp and /tmp... if you burn something to DVD, for example, that's on your encrypted partition, the temp files will be stored in /tmp. Now your encrypted stuff has been written unencrypted to your hard drive, and can be recovered at least partially without too much trouble. /tmp can be a tmpfs (swap and RAM are used), but /var/tmp needs to be persistent - a separate encrypted partition, or eCryptfs (might be too slow).
Last edited by Ranguvar (2009-02-17 20:12:56)
Offline
#5 2009-02-17 20:17:21
- zyghom
- Member
- From: Poland/currently Africa
- Registered: 2006-05-11
- Posts: 432
- Website
Re: Encryption (Filenames/metadata, what to encrypt, resizing)
I believe I'm going to :
/boot - clear
/, /home - luks
but it requires a bit repartitioning of my hdd then 
Zygfryd Homonto
Offline
#6 2009-02-17 23:29:34
- kludge
- Member
- Registered: 2008-08-03
- Posts: 294
Re: Encryption (Filenames/metadata, what to encrypt, resizing)
If someone takes it, puts it into another computer, and looks at each sector.
I know some encryption methods don't encrypt filesystem metadata, which means filenames, permissions, etc.. eCryptfs didn't until recently, for example. I know TrueCrypt does, but I'm not 100% sure that LUKS and Loop-AES work.
don't take my word for it, but since LUKS writes to the physical device via an encrypting device mapper, i'm pretty sure *everything* is encrypted. as circumstantial evidence, gparted has no clue what kind of filesystem lives on my encrypted partitions.
Last edited by kludge (2009-02-17 23:30:07)
[23:00:16] dr_kludge | i want to invent an olfactory human-computer interface, integrate it into the web standards, then produce my own forked browser.
[23:00:32] dr_kludge | can you guess what i'd call it?
[23:01:16] dr_kludge | nosilla.
[23:01:32] dr_kludge | i really should be going to bed. i'm giggling madly about that.
Offline
#7 2009-03-05 14:59:19
- andre.ramaciotti
- Member
- From: Brazil
- Registered: 2007-04-06
- Posts: 649
Re: Encryption (Filenames/metadata, what to encrypt, resizing)
Sorry to bump this, but do you guys feel a perceptive decrease in performance using a encrypted HD?
The newest benchmark I can find is from Phoenix, but it uses kernel 2.6.24, they test only dm-crypt and half of their tests are with games...
(lambda ())
Offline
#8 2009-03-05 15:47:43
- vacant
- Member
- From: downstairs
- Registered: 2004-11-05
- Posts: 816
Re: Encryption (Filenames/metadata, what to encrypt, resizing)
If you're trying to hide from the authorities then I guess truecrypt with a hidden partition is the way to go.
I just want security if my laptop is stolen so I have 2GB RAM, run without a swap file, tmp in RAM and other tmp storage on my luks-encrypted /home partition. Arch boots and asks for my (long) /home password, KDE4 logs me in automatically and I can then have a single letter linux password for recovering from suspend/screensaver plus the same single letter password for root. I store all internet passwords in a plain text file in my /home. It's been working well so far. I wouldn't consider encrypting the root file system.
Of course I'm stuffed if the laptop is stolen while on, but then I'd give up my luks password if I was mugged at knife-point 
Offline
#9 2009-03-05 16:23:29
- zyghom
- Member
- From: Poland/currently Africa
- Registered: 2006-05-11
- Posts: 432
- Website
Re: Encryption (Filenames/metadata, what to encrypt, resizing)
Sorry to bump this, but do you guys feel a perceptive decrease in performance using a encrypted HD?
only in case of backup - otherwise I don't see this as an issue
Zygfryd Homonto
Offline
#10 2009-05-16 20:59:40
- mutlu_inek
- Member
- From: all over the place
- Registered: 2006-11-18
- Posts: 683
Re: Encryption (Filenames/metadata, what to encrypt, resizing)
FYI: Luks is nearly as fast as without encryption: http://www.tomshardware.com/reviews/loc … 303-9.html
Offline