Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is the first one even possible? I've never encrypted a disk before; I'm following the Arch wiki (I'm a newbie, basically). Should I try and encrypt my swap partition (I've got 512 MB RAM, 1 GB swap)? Ideally, I'd like to make it so it's not feasible for someone (even a very skilled someone) to access my files (and system -- I'm encrypting /), but still make it fairly fast and usable for day-to-day operations. If it matters any, I'm using JFS.
Sorry for the barrage of questions. Thanks in advance.
Last edited by lupusarcanus; 04-05-2011 at 07:53 PM.
The aes arguments have to do with what kernel modules you have loaded.
try:
cat /proc/crypto
Be careful to keep track of the cipher used. I made the mistake of forgetting once, then it's good luck guessing.
I've used the Ubuntu full disk encryption on laptops, but never on my servers, because I haven't figured out how to boot software raid and fully encrypted together.
I use two techniques with my servers:
1) Create an encrypted swap loopback and a huge encrypted loopback for the user area. The swap can encrypt itself on the way up with a random password. You don't care if you lose it each boot. For the Data, leave one user outside the encrypted partition so you have a means decrypting the filesystem. All other users should be inside the encrypted filesystem. Also symbolic link the /tmp and /var/tmp into the encrypted system.
Or
2) Create a big loopback area and put a virtual machine on it. That way the whole server can be encrypted without complicating the server.
Folks will say that running software raid, on top of a loopback, on top of encryption, on top of a virtual machine ought to be slow.
All I can say is it's plenty fast for my requirements. I don't produce video or mash huge volumes of graphical data, but my LAMP stuff runs plenty fast enough.
In simple terms XTS is generally considered a more secure mode than cbc. (The discussion of the various modes is beyond this forum but a web search will yield tons of info). essiv is always desireable as where possible you want to salt the passphrase. essiv can also be used with xts.
I have /home on my system currently LUKS encrypted. I also have swap encrypted (which can be done independently of any other encryption).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.