Need Advice: Installing Encrypted Arch on Eee PC 1000HE

kludge · 2009-06-04 19:00:04

hey there, y'all,

i just ordered my 1000he yesterday, so i have a few days to figure out my partition scheme before my new baby arrives in the mail.

i'm a pretty confident and skilled archer, but--thanks to the beauty of arch--i haven't done a new install in nearly three years. and because of the way i intend to use my netbook (roadwarrior stylin'), i'm going to have to do a few things i've never done before... and can't find cleanly documented.

i want to secure my data as thoroughly as practical, without going overboard or taking a huge performance hit. i also *need* hibernate to function. so here's my initial thinking on the partition scheme:

* physical partitions:

/dev/sda1 = /boot /dev/sda2 = dm-luks crypted partition

* crypted partition:

LVM2 phys. volume = /, /home, /var, swap

the big question is what to do about /tmp. should i:

1) map /tmp to its own lv, randomly encrypted at boot?
2) tmpfs at 512 MB. is this big enough? will 512 MB be too big a chunk of my 2 GB RAM?

the second question is what to do about swap. i need it to be encrypted *and* persistent, so should i:

1) map it to an lv, so that it's encrypted at the block device level?
2) use a swap file in / ?
3) do without swap and use a hibernate file in / ?

also, is there anything i'm missing here? any gotchas or obvious security holes?

thanks mucho.

edit: typos and clarity.

Last edited by kludge (2009-06-04 21:14:21)

.:B:. · 2009-06-04 20:22:04

/tmp is as much a vulnerability as your swap file. I don't know anything about best practice regarding /tmp or swap encryption. If you use tmpfs for /tmp, it will grow when needed (but that consumes RAM of course, and I don't know how much you'll have of that).

moljac024 · 2009-06-04 20:26:18

I don't know, I would never be comfortable having /tmp in RAM...

kludge · 2009-06-04 21:12:38

@B:
as noted above, 2 gb of ram. for reference, i rarely fill the 512 on my current box. the biggest performance hits i notice on my current box are from heavy disk read/write operations. (db updates, grep'ing whole devices, etc.)

@moljac:
why not?

Last edited by kludge (2009-06-04 21:16:06)

.:B:. · 2009-06-04 21:15:54

I have /tmp in RAM, unencrypted - I have 2 GB RAM too. The sensitive stuff I have is on a loop-aes encrypted partition, and I use keyscrubbing so the key can't be recovered from RAM upon a reboot (which e.g. stuff like LUKS and other common encryption techniques do allow).

Since you'll be sporting an Atom setup, I don't know how much of a drain that encryption scheme will be on your system though.

moljac024 · 2009-06-04 21:21:35

kludge wrote:

@moljac:
why not?

That RAM could be used elsewhere ?
I guess it's ok if you have enough, but I guess it still depends on what you're doing...

kludge · 2009-06-04 21:22:12

heh... we're editing and posting at cross purposes.

my current setup is not so different from what i want, except that swap is randomly encrypted at mount-time and /tmp is a static lv living on a luks-crypted disk partition.

like i said, heavy disk operations are the the only thing that really trash my current system, but i don't know if that's due to the double-mapping (dm-crypt --> lvm --> fs), filesystem choices, or something inherent to harddrive intensive operations.

i've been on my current setup so long, i can't recall if i noticed these kinds of hits in the past.

mostly i'd like to see if anyone has (links to) comparisons of the different options that i can study while i wait for the mailperson. i'd like to have the little guy up and running the same day i get it.

.:B:. · 2009-06-05 00:11:48

I have no experience with any Atom CPUs, but they're nothing like a mainstream Core 2 Duo or Phenom/Phenom II CPU (or any Athlon 64 for that matter even). My guess is the performance hit will be pretty severe if your CPU has to spend time encrypting/decrypting stuff the whole time, but again, that's just a guess - I have no idea about what it does. I have a Core 2 Duo U7600 myself (1,2 Ghz) and it takes quite a hit when it has to write to my loop-aes encrypted USB HD - but I'm not sure whether that is due to the USB or the encryption, or both (and frankly I never really bothered to look into it). And that's the only encrypted partition I have on this system. No LVM either.

Arch Linux

#1 2009-06-04 19:00:04

Need Advice: Installing Encrypted Arch on Eee PC 1000HE

#2 2009-06-04 20:22:04

Re: Need Advice: Installing Encrypted Arch on Eee PC 1000HE

#3 2009-06-04 20:26:18

Re: Need Advice: Installing Encrypted Arch on Eee PC 1000HE

#4 2009-06-04 21:12:38

Re: Need Advice: Installing Encrypted Arch on Eee PC 1000HE

#5 2009-06-04 21:15:54

Re: Need Advice: Installing Encrypted Arch on Eee PC 1000HE

#6 2009-06-04 21:21:35

Re: Need Advice: Installing Encrypted Arch on Eee PC 1000HE

#7 2009-06-04 21:22:12

Re: Need Advice: Installing Encrypted Arch on Eee PC 1000HE

#8 2009-06-05 00:11:48

Re: Need Advice: Installing Encrypted Arch on Eee PC 1000HE

Board footer