You are not logged in.

#1 2022-04-16 06:47:55

BlackarchNet
Member
From: Allentown
Registered: 2022-04-11
Posts: 23

Encrypted (FDE) installation questions

I'm testing different FDE installation hashes, ciphers etc. And I wanna try a detached header (boot/efi partition on flash drive) 1) are there any specific things I should know, extra steps etc from a standard installation guide, 2) Also can someone tell me how good this hash is (Serpent-CBC-Essiv:sha3-256 -h whirlpool, resilience hash sha512, pbkdf argon2id, itter time 30000,size 256, luks2), I'm  following the "bulletproof Arch Install" guide ln the wiki, almost to a T, just want to create a better and the most perfect cipher possible, while not sacrificing too much performance.

Extra point question: Name all the btrfs subvolumes that can be mount points (eg. var, tmp,sys,dev)

Thanks for any and all help.

Last edited by BlackarchNet (2022-04-16 07:13:27)


"Victims aren't we all"

"Hail to the King"

Offline

#2 2022-04-16 07:19:37

frostschutz
Member
Registered: 2013-11-15
Posts: 1,126

Re: Encrypted (FDE) installation questions

stick with standard settings unless you have very strong reasons not to

keep it simple

Online

#3 2022-04-16 07:45:56

BlackarchNet
Member
From: Allentown
Registered: 2022-04-11
Posts: 23

Re: Encrypted (FDE) installation questions

Any reason? Besides the KISS philosophy that is, never been a fan of that Unix mentality, as it limits potential In my opinion, my main question is how to make 1 big partition with 8309 (luks partition) on my SSD, but have the boot on a removable drive, so removing it makes it impossible to boot up.

Last edited by BlackarchNet (2022-04-16 08:24:35)


"Victims aren't we all"

"Hail to the King"

Offline

#4 2022-04-16 11:25:20

ayekat
Member
Registered: 2011-01-17
Posts: 1,509
Website

Re: Encrypted (FDE) installation questions

BlackarchNet wrote:

Any reason?

The more you deviate from the defaults, the more you need to know what you changed and why you changed it (and what the potential risks of that are). This has little to do with "Unix mentality", and more with simply reducing risks (potential issues and/or the likelihood that you find yourself alone when encountering a problem that nobody else has).

In this context, if you do have a good mathematical grasp on the hash algorithms and their implication on the provided security level, you can of course consciously pick something else. But then you wouldn't need to ask on a forum whether a given hash is good.

On the main question: Putting the ESP on a separate device should be feasible AFAICT; not sure if there's really anything that needs to be done additionally.
But I think this is mostly a case of "Try it and see".


{,META,RE}PKGBUILDSpacman-hacks (includes makemetapkg and remakepkg) │ dotfiles

Offline

#5 2022-04-18 07:50:50

BlackarchNet
Member
From: Allentown
Registered: 2022-04-11
Posts: 23

Re: Encrypted (FDE) installation questions

Thanks, there's a guide on the Wiki called Bulletproof install, which I found very helpful, but it's a very custom guide, like mounting the btrfs subvolumes instead of the dev mapper, using Nspwn instead of chrooting, all of which makes me want to make a non standard install, and see how else I can beef up the security and performance. And I said "Unix Mentality" because Arch, Gentoo, Slack Unix, BSD all use the" Keep it simple stupid" idea for minimalism, but Arch has the support to turn any computer into a powerhouse. I just want to know if there's any holes in the cipher, or if it's rock solid, and to see about pathfinding for 2 different drives.

Last edited by BlackarchNet (2022-04-18 07:59:22)


"Victims aren't we all"

"Hail to the King"

Offline

#6 2022-04-18 11:01:59

frostschutz
Member
Registered: 2013-11-15
Posts: 1,126

Re: Encrypted (FDE) installation questions

AES is hardware accelerated on any non-ancient platform, serpent is not, so there is a noticable performance impact (see `cryptsetup benchmark`). That would be okay if it provided anything in return for it, but I don't quite see what that would be.

Not sure how deliberately using a slow cipher would turn your computer into a powerhouse. KISS means keep things simple, not slow. Seems to me you like to do things different for the sake of doing it different, not for any other reason.

But you do you. That's the nice thing about Linux, you can make your own choices on how to put things together and everything.

As for separate boot devices: in Linux nothing and no one forces you to use the same device in the first place. So if you want to use separate devices, you just do that. There are some special cases, like if your root is on an USB device, you might need a rootdelay to allow for USB detection to take place, but in general - it should just work, simple as that.

Online

#7 2022-04-18 22:49:06

BlackarchNet
Member
From: Allentown
Registered: 2022-04-11
Posts: 23

Re: Encrypted (FDE) installation questions

Thanks for the tips and ur opinion, and as far as the cipher, from the benchmarks I've seen, Serpent is more secure than AES, yes at the cost of some performance, but it's performance is better than Twofish and all the rest.


"Victims aren't we all"

"Hail to the King"

Offline

#8 2022-04-18 22:59:31

loqs
Member
Registered: 2014-03-06
Posts: 14,702

Re: Encrypted (FDE) installation questions

BlackarchNet wrote:

Serpent is more secure than AES, yes at the cost of some performance, but it's performance is better than Twofish and all the rest.

For the difference in security between AES and Serpent to be relevant the adversary must be capable of breaking AES but not Serpent.  Is that the threat you are modeling?

Offline

Board footer

Powered by FluxBB