[SOLVED] A few questions about encrypting my drives
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I just bought a new computer and I'm going to *attempt* to set up encrypted /home, /, and swap partitions on it for its fresh Slackware install, using AlienBOB's guide found here.
While I wait for my /home partition to finish filling with random data, I had a few questions I thought I'd ask.
1. Will there be any noticeable speed difference during regular use and wine gaming, between a nonencrypted disk and a disk encrypted in this manner?
2. For a 500gb /home and a 500gb /, will it take longer than a few seconds to decrypt on boot?
3. If I rebuild the kernel to update to a newer version or if I install things that add new kernel modules (NVIDIA proprietary driver, for example), will that have any adverse effect on my encryption?
4. Exactly how secure is a partition encrypted in this manner, on a scale of 1 (some bored script kiddie can break it) to 10 (the NSA and the KGB both decide that they really, really want to get into my laptop)?
5. If I need to mount my encrypted partitions in TRK or Puppy Linux or something for some reason, will it be easy for me to decrypt it from the liveCD?
Not really. The power of modern computer processors, and even those from a few years ago, combined with optimized cryptographic processes means day-to-day work is not affected. Encryption/decryption occurs in the background, "transparent" to end users so, while there is a slight computational overhead while reading and writing data, the performance difference is measurable and comes in as 1% hit to hard drive IO operations - not enough to truly perceive.
First of all, do you REALLY need the security of encrypting your home?
Secondly, I have a 1 year old Lenovo W500 and encrypting my home made a significant difference in performance. I hated it and went through some trouble unencrypting it.
Thirdly, I found that if my os got corrupted, it would be almost impossible to recover my home data.
Secondly, I have a 1 year old Lenovo W500 and encrypting my home made a significant difference in performance. I hated it and went through some trouble unencrypting it.
I literally saw no difference whatsoever on an empirical level when going from regular unencrypted partitions to an encrypted LVM. I did not do any benchmarks, so there may very well have been some performance loss -- but not enough for me to notice.
I've been using encfs to encrypt/decrypt just a directory in my home folder where I store sensitive documents (i.e. tax info, stuff with my social security number, etc)... once I enter the key, the folder is decrypted with no perceptible lag at all
1. There will be some difference but noticeable? Probably no. I use encryption on my Asus EeePC without any performance issues.
2. No, it takes 1 or 2 seconds to generate the key when you enter the password. From that on, it is on-the-fly decryption, so the size of the disk doesn't matter.
3. No. But don't forget to add support for encryption when you use a custom kernel (see Alien's guide for details).
4. AES, for example, is being used by the government as well, so the security level should be close to 10. Of course, it may be that someone knows a way to break it but keeps it to himself, you never know . But these are not algorithms that can be broken by simple attacks, you will need to solve very complex mathematical problems to find a way of breaking.
5. As long as the LiveCD has cryptsetup setup, it should be possible. In the worst case you will need to do it manually in a terminal (again, see Alien's guide).
I literally saw no difference whatsoever on an empirical level when going from regular unencrypted partitions to an encrypted LVM. I did not do any benchmarks, so there may very well have been some performance loss -- but not enough for me to notice.
Thats my experience. I have a laptop running 13.37 with an encrypted lvm containing a lv group with swap, / and /home. I can't see any difference between this and when it wasn't enrypted. One of the linux magazines (possibly linux user) did some benchmarking this year. I can recall that luks/lvm came out fastest for the freely licenced methods, I think that ecryptfs (the default method in ubuntu) came with noticable hit on read times.
1-5 have already been answered but I can say that I'm reasonably happy with it. There are a few notes to this all. Encrypting the swap partition is a means of hiding your activity. Assuming you never stored any incriminating evidence on your hard drive and only in a temporary ram fs, then swap could potentially contain evidence against you. The method of everything under one encrypted LVM would not protect you from people stealing your key card or forcing you to reveal your password. In that situation you would need the swap to re create it self with a random seed on everyboody. You never know the password so nobody can ever find evidence against you on the swap. There are some tricks however. Unless you specify an offset to cryptSetup, the uuid changes every time so you may have to hack around some stuff to work in uuid setup... But slackware is good about no mucking with the standard /dev/sd?? layout so that shouldn't mater. Either way, the arch wiki has some tips on all that https://wiki.archlinux.org/index.php...Swap_partition
If that isn't your concern, the only other reasons to encrypt the whole hard drive is it prevents thieves from stealing your computer and have a fully functioning system with your information. If a thief actually knows how to look at the nitty gritty of the harddrive, it also prevents them from seeing exactly where the important encrypted information is. If you only encrypt one folder, then it's a flag to everybody telling them where to look.
The downside to all this, if you screw up the LUKS encryption headers and don't have a backup, then the whole drive is toast. VS, if you have an unencrypted drive, you can have bad sectors all over the place and still be able to recover a good portion of your data.
Well, there are lots of useful answers here, so I will add just few thoughts.
4 - Encrypting just your /home filesystem is risky. Operating systems are messy. When you open a document placed in your /home with an app, this app could be placing temporal files in other (unencrypted) places of the drive, like /tmp. Even if this files get erased at reboot, they could be recovered from the unencrypted areas with very simple forensic techniques. Take care with the swap area, as it has been already advised to you, because data can leak to there in a similar way. Other than that, the default encryption provided by dm-crypt with LUKS is very strong, and this model of security will suffice to stop most people.
1 - You might consider using a different and faster algorithm than the default if you are concerned about speed.
Last edited by BlackRider; 12-21-2011 at 03:32 AM.
Take special note on BlackRider's comment about /tmp. The quick fix for this is to make /tmp a ramfs/tmpfs so that it only resides in memory and if you max that out, it will go to the encrypted swap. Slackware comes with an fstab with /dev/shm as a ramfs, duplicate the line and change the mount point to /tmp.
First of all, do you REALLY need the security of encrypting your home?
Secondly, I have a 1 year old Lenovo W500 and encrypting my home made a significant difference in performance. I hated it and went through some trouble unencrypting it.
Thirdly, I found that if my os got corrupted, it would be almost impossible to recover my home data.
I have 6 computers at home. 4 have encrypted hard drives. Of the 4, 3 have all their drives are encrypted. The two that are not encrypted, one is a synth machine and the other is an AVLinux machine.
If someone were to walk off with any machine there would be no value except to scrap the hardware. NT is so out dated, they would probably bring the machine back. The AV machine, that would be a keeper.
I have had a computer stolen. Once was enough, everything is encrypted.
I have not noticed any performance degration after I encrypted my harddisks.
I have had to recover an encrypted harddisk. Mount it with the encryption software, pull your data and do whatever you need to do with the hard disk.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.