-   Linux - Security (
-   -   Encryption (Filenames/metadata, what to encrypt, resizing) (

Ranguvar 02-14-2009 11:24 PM

Encryption (Filenames/metadata, what to encrypt, resizing)
I've already decided to use an unencrypted root, either loop-aes or LUKS/dm-crypt to encrypt my swap (I will benchmark to decide), loop-aes/EncFS/LUKS to encrypt /tmp (or I will use tmpfs, since I have 6GB of RAM... any opinions?), and either LUKS, loop-aes, or TrueCrypt for my personal /home. /var/tmp will be an EncFS.

First, as mentioned above, any advice from those with experience on making a separate /tmp to encrypt with traditional methods vs. using tmpfs for /tmp (6GB RAM)? What kinds of operations use /tmp the most (I know optical disc writing does) (this will help to benchmark with/without tmpfs), and to what extent? Same questions for /var/tmp? I know tmpfs will automatically move lesser-used stuff to swap instead of main RAM - does it do this well, and does it adjust how much it does that depending on how much free RAM there is?

Second, I know TrueCrypt will encrypt filesystem metadata (the important thing being file names), and EncFS does since late last year. I'm pretty sure LUKS/dm-crypt and loop-aes also do, but I'm not 100% sure. Is anyone certain they do?

Third, any comments on how I've decided to set up my system? Are there any places I'm missing to encrypt?

And fourth, any info on resizing any of the above encryption setups (on block devices on LVM) would be very much appreciated.

Thanks!! :)

NOTE: I'm also considering just encrypting everything except probably /usr... it would be simpler, that's for sure. We'll have to see what the damage is in terms of speed.

NOTE 2: I will definitely post my results so others can see when I'm done. I will be running the benchmarks on both a quad-core with 7,200rpm hard drives and an elderly ThinkPad with a Pentium M Banias and a 5,400rpm drive. I'll also do a few quick benches to see whether the differences between file system change when encryption is used.... this'll be "fun".

I'm also asking these questions here, for any reading this that are also interested.

JulianTosh 02-14-2009 11:47 PM

My laptop, with Fedora10, uses full disk encryption using LUKS. Only the boot partition (~200M) is in the clear. The OS, user files, and swap are all encrypted. I have no performance issues, works great!

The initial install make it really easy too.. just check "Encrypt Disk", done.

Ranguvar 02-15-2009 05:42 PM

Does LUKS encrypt filesystem metadata (filenames)?

Ranguvar 02-17-2009 11:13 PM


JulianTosh 02-18-2009 10:26 AM

not exactly sure what you mean. LUKS is a whole-disk encryption system so everything gets encrypted - filenames, data, etc.

wsduvall 02-18-2009 03:28 PM

LUKS is probably your best bet. I've used it for several years, and I've had no data loss issues, other errors. Its also supported in the kernel, so you can boot from it, and you can automatically encrypt your swap using /etc/crypttab. I'm a huge fan, and those fascists at the RIAA can punt. Also, heres a simple benchmark using hdpart:


[wsduvall@Asar ~]$ sudo hdparm -tT /dev/sda
 Timing cached reads:  2462 MB in  2.00 seconds = 1231.66 MB/sec
 Timing buffered disk reads:  118 MB in  3.04 seconds =  38.88 MB/sec


[wsduvall@Asar ~]$ sudo hdparm -tT /dev/mapper/home
 Timing cached reads:  2544 MB in  2.00 seconds = 1273.18 MB/sec
 Timing buffered disk reads:  114 MB in  3.05 seconds =  37.36 MB/sec

Theres almost no difference.

I'm also pretty sure (but not 100%) that you can change your keys in LUKS, even after encryption.

Ranguvar 02-18-2009 04:32 PM

Not bad performance there, but I would think the main slowdown would be with sparse file performance / small file performance? I will test soon anyways.

I'm still not 100% sure LUKS encrypts metadata though... or loop-AES for that matter, but loop-AES at least is faster and *potentially* more secure. The advantage LUKS has is that it is in the kernel, and easier to use.

jschiwal 02-19-2009 12:33 PM

An encrypted device is a virtual device between the real device and the file system. You mount the virtual device (e.g. /dev/mapper/cr_sdc2) and format that. Everything is encrypted. A linux filesystem doesn't have metadata in the same way that a Mac filesystem does. Directories contain the filename and a pointer to the inode structure. To the kernel a directory is simply a file.

wsduvall 02-20-2009 12:03 AM

I don't see why one would be more secure than the other, they both use the same cypher. Also loop-AES is not really being developed anymore, at least thats what I understand.

Gortex 03-02-2009 10:51 AM

Not to hijack this thread or anything, but when you use luks and you are offering shares via samba (smb). How does the windows PC see the shares ? as being encrypted and worthless or is it transparent. This might seem like a stupid question, but I have though about doing this for a while and don't want to make 900 gigs of media worthless to the other PCS.

JulianTosh 03-02-2009 12:22 PM

The OS will present a decrypted file system to samba.

Gortex 03-02-2009 12:37 PM

Thanks, I figured as much but its better to ask then to be sorry later for not asking :)

All times are GMT -5. The time now is 06:46 AM.