Disk Encryption Questions
Is it better to use:
Code:
-c aes-cbc-essiv -y -s 512 Code:
-c aes-xts-plain -y -s 512 Sorry for the barrage of questions. Thanks in advance. |
Disk Encryption
The aes arguments have to do with what kernel modules you have loaded.
try: cat /proc/crypto Be careful to keep track of the cipher used. I made the mistake of forgetting once, then it's good luck guessing. I've used the Ubuntu full disk encryption on laptops, but never on my servers, because I haven't figured out how to boot software raid and fully encrypted together. I use two techniques with my servers: 1) Create an encrypted swap loopback and a huge encrypted loopback for the user area. The swap can encrypt itself on the way up with a random password. You don't care if you lose it each boot. For the Data, leave one user outside the encrypted partition so you have a means decrypting the filesystem. All other users should be inside the encrypted filesystem. Also symbolic link the /tmp and /var/tmp into the encrypted system. Or 2) Create a big loopback area and put a virtual machine on it. That way the whole server can be encrypted without complicating the server. Folks will say that running software raid, on top of a loopback, on top of encryption, on top of a virtual machine ought to be slow. All I can say is it's plenty fast for my requirements. I don't produce video or mash huge volumes of graphical data, but my LAMP stuff runs plenty fast enough. Your mileage may vary. Here's one way to create an encrypted swap file: losetup /dev/loop0 /swapfile cryptsetup -d /dev/urandom create swapc /dev/loop0 mkswap /dev/mapper/swapc swapon /dev/mapper/swapc |
In simple terms XTS is generally considered a more secure mode than cbc. (The discussion of the various modes is beyond this forum but a web search will yield tons of info). essiv is always desireable as where possible you want to salt the passphrase. essiv can also be used with xts.
I have /home on my system currently LUKS encrypted. I also have swap encrypted (which can be done independently of any other encryption). You really don't need to use a loopback device. |
Thanks for the info Jerre Cope and NyteOwl.
|
All times are GMT -5. The time now is 05:05 AM. |