You are not logged in.

#1 2019-03-03 17:31:12

Maestox
Member
Registered: 2019-02-12
Posts: 2

[SOLVED] Crypted Arch

Hi !

[English is not my native language, so if you don't understand what I mean, tell me, and I'll try to say it otherwise]

I have already an Archlinux on my computer. But I would reinstall an Archlinux, in order to get a crypted one. But I'm lost, and don't know which method to choose in this list : https://wiki.archlinux.org/index.php/Dm … ire_system . My main problem is that my computer isn't powerfull, so I fear that some methods were too heavy for it.
My processor : Intel(R) Celeron(R) CPU N3350 @ 1.10GHz (2 cores)
My "hard" memory : 64 Go Flash eMMC + 128 Go on a SD card
RAM : 4 Go LPDDR4


Do you think it's possible i get a crypted archlinux on my computer ? If yes, which method should I use ?

Thanks,
Maestox

Last edited by Maestox (2019-03-04 17:56:01)

Offline

#2 2019-03-03 17:40:51

Lupo Alberto
Member
From: Gomel, Belarus
Registered: 2013-11-25
Posts: 84

Re: [SOLVED] Crypted Arch

I use LVM on LUKS on my 5-year netbook (but I changed HDD on SSD recently).
It works very well in my opinion.

Last edited by Lupo Alberto (2019-03-03 17:43:02)

Offline

#3 2019-03-03 19:52:56

/dev/zero
Member
From: Melbourne, Australia
Registered: 2011-10-20
Posts: 1,247

Re: [SOLVED] Crypted Arch

I would avoid methods (6) and (8), that is, avoid "Plain dm-crypt" and "Btrfs subvolumes with swap".

Personally, I have not tried methods (5) and (7), so I can't say much for or against them. I do believe they are more complicated than you need.

Some people would say you should prefer an encrypted boot. The reason is that if your boot is not encrypted, a skilled adversary with physical access to your device could replace the true kernel with a malicious one.

However, I think if an adversary has physical access to your machine then the encrypted boot won't help you. By using an encrypted boot, you just move the attack surface to the boot loader. The same trick can be used: replace the unencrypted boot loader with a malicious one. So you have really only gained the illusion of security.

Therefore, keep life simple for yourself. Use an unencrypted boot and don't give skilled adversaries physical access to your devices wink

So really you just need to decide between these options:

  • Do you need LVM with LUKS?

  • Or would LUKS by itself be sufficient?

To answer the question, you should understand what sorts of things LVM is good for. Sometimes I use LVM, sometimes I don't. For a simple system, it is fine to not use LVM.

In conclusion, I think you probably want to focus on method (1), that is, just use LUKS on a partition without any extra complications.

Roughly, the process is:

  1. Use dd to fill your drive with noise from /dev/urandom (not /dev/random !)

  2. Use fdisk or similar to partition the drive into a boot partition and a root partition.

  3. Use cryptsetup to install a LUKS header at the start of the root partition.

  4. Use cryptsetup again to associate the LUKS partition with a device name.

  5. Install an ext4 filesystem on the LUKS device.

  6. Now you can install Arch Linux in the usual way. Remember to configure your mkinitcpio to ask for your passphrase for the encrypted root partition at boot time.

Refer to the wiki for more details, or ask if you run into problems.

Offline

#4 2019-03-03 22:10:20

nik402
Member
Registered: 2014-10-25
Posts: 5

Re: [SOLVED] Crypted Arch

My main problem is that my computer isn't powerfull, so I fear that some methods were too heavy for it.

Your processor supports aes-ni, so there should be no performance impact.

Offline

#5 2019-03-04 07:14:18

/dev/zero
Member
From: Melbourne, Australia
Registered: 2011-10-20
Posts: 1,247

Re: [SOLVED] Crypted Arch

nik402 wrote:

Your processor supports aes-ni, so there should be no performance impact.

Yeah, this too. Anyone can see I've been on these forums for a long time. If you look back through my posts, you can see I was asking about how to do encrypted drives properly back in 2011. Falconindy helped me find the answer and I've been using encrypted hard drives ever since.

I've never noticed any performance problems in eight years.

With an intel celeron N3350 your laptop must be about two years old. It might be a budget laptop, but it's still an advanced piece of technology.

So encrypt that sucker already smile

Offline

#6 2019-03-04 09:23:41

Maestox
Member
Registered: 2019-02-12
Posts: 2

Re: [SOLVED] Crypted Arch

Do you need LVM with LUKS?

Nope, I don't think so. If I've well understood, LVM is just to get drive structure (with partitions ...) and a crypted structure. But I think I dont need. So, I think, I'll use LUKS.

Thanks a lot for your quick answers, you've really helped me !

And, if you say to me that there musn't be problem of performance, I'm happ ! :-) (and yes, it's a budget laptop smile )

Thanks a lot another time ! smile

Offline

Board footer

Powered by FluxBB