Disk Encryption Questions
 

Is it better to use:
Or:
Is the first one even possible? I've never encrypted a disk before; I'm following the Arch wiki (I'm a newbie, basically). Should I try and encrypt my swap partition (I've got 512 MB RAM, 1 GB swap)? Ideally, I'd like to make it so it's not feasible for someone (even a very skilled someone) to access my files (and system -- I'm encrypting /), but still make it fairly fast and usable for day-to-day operations. If it matters any, I'm using JFS.

Sorry for the barrage of questions. Thanks in advance.

Disk Encryption
 

The aes arguments have to do with what kernel modules you have loaded.

try:

cat /proc/crypto

Be careful to keep track of the cipher used. I made the mistake of forgetting once, then it's good luck guessing.

I've used the Ubuntu full disk encryption on laptops, but never on my servers, because I haven't figured out how to boot software raid and fully encrypted together.

I use two techniques with my servers:

1) Create an encrypted swap loopback and a huge encrypted loopback for the user area. The swap can encrypt itself on the way up with a random password. You don't care if you lose it each boot. For the Data, leave one user outside the encrypted partition so you have a means decrypting the filesystem. All other users should be inside the encrypted filesystem. Also symbolic link the /tmp and /var/tmp into the encrypted system.

Or
2) Create a big loopback area and put a virtual machine on it. That way the whole server can be encrypted without complicating the server.

Folks will say that running software raid, on top of a loopback, on top of encryption, on top of a virtual machine ought to be slow.

All I can say is it's plenty fast for my requirements. I don't produce video or mash huge volumes of graphical data, but my LAMP stuff runs plenty fast enough.

Your mileage may vary.

Here's one way to create an encrypted swap file:

losetup /dev/loop0 /swapfile
cryptsetup -d /dev/urandom create swapc /dev/loop0
mkswap /dev/mapper/swapc
swapon /dev/mapper/swapc

In simple terms XTS is generally considered a more secure mode than cbc. (The discussion of the various modes is beyond this forum but a web search will yield tons of info). essiv is always desireable as where possible you want to salt the passphrase. essiv can also be used with xts.

I have /home on my system currently LUKS encrypted. I also have swap encrypted (which can be done independently of any other encryption).

You really don't need to use a loopback device.

Thanks for the info Jerre Cope and NyteOwl.