Essentially, I have Slackware 14.1 as my server OS. I do not keep anything mission critical or super secret/important but I like following/learning neat security practices just for the hell of it. I do not mind/don't really want the files to be encrypted/decrypted on the fly as that might hamper performance (I like to run video game servers on here and want the best performance possible) but I would like something that leaves the disks/filesystems encrypted when shutting down the computer, then decrypts when its time to boot up. (Although if the system is improperly shutdown....I guess the encryption would never happen...)

Is there such a solution available for Slackware?

One bad thing I just noticed about what I want is that if something ever happens to the OS in which I need to use a LiveCD or something, I would be stuck as everything is encrypted?

The last time I used luks and dm-crypt, it was on a 733 MHz Coppermine Pentium III lappie... and the performance hit on that box was unnoticeable, less than 1 percent.

You are NOT going to notice any performance hit at all, unless you keep the crazy notion of encrypting gigabytes of storage in one big hit when you shut down, and decrypting gigabytes of storage in one big hit when you start up.

And another thing: where are you going to keep all the plaintext that you decrypted at startup? On the disk, where, like you said anyone will be able to read it just by cutting the power?

Just do it the same way everybody else does.

Check out the documentation on the subject on the Slackware installation media (boot disk) or at one of the mirrors where you download Slackware.
There are also other helpful README files there.

I was able to build a fully encrypted system (except /boot) with RAID just following the information found there and reading the relevant man pages.

There is probably other helpful information on this at docs.slackware.com.

With LUKS the encryption is self contained on the encrypted disk/partition so you can recover by unlocking the partition and mounting the file system elsewhere (where LUKS is supported). You should try this to prove it to yourself that it works.

EDIT: Depending upon the version of Slackware you are using, the mkinitrd command may require the -L (lvm) option even if you are not using the volume manager. Since I use both RAID and LUKS together I don't remember if this was required for RAID or for LUKS.

1 members found this post helpful.

Explaining differently what 55020 wrote ...
If you use LUKS the data on an encrypted partition remains always encrypted on the disk. The data is always encrypted when written to the disk and decrypted when read.

There is no mass encryption/decryption on startup/shutdown.

A lot of "recent" (last four years or so) CPUs has AES instruction set built in, reducing the miniscule performance hit even further. Run `grep -w aes /proc/cpuinfo` to see if your CPU has AES support.

Hi, I don't want to hijack this thread but... after looking at the mentioned documentation, many things are not clear to me, being a newbie to encryption...

What is peoples experience with using encryption on:
1) GPT-formatted discs with an EFI/elilo set-up? Would the /boot/efi partition be the one to store the non-encrypted stuff?
2) on a set-up where / is divided over several discs/partitions (say to prevent /tmp or /var/log overflowing the disc-space or to keep them separate on the data hdd and away from the SSD that contains the rest of the distribution)
3) where institutions require, for Windows systems, the use of a TPM (Trusted Platform Module) chip to enable hardware encryption. Would complete-disc encryption via LVM + LUKS be sufficient?
4) in the case of very large data-files (>10 GB) that are analysed by means of a couple of python-scripts, would encryption markedly slow this down (say on a i7 processor that has aes built in and with 16GB RAM available) or not?
5) would using described disc-encryption make things easier when one has been using TrueCrypt before (and ending up deleting all these sections because access failed for some reason or another)

Could one cover these scenarios with a LVM + LUKS set up?

You can slice & dice the disks/partitions/volumes almost anyway you want regarding encryption. I have some encrypted systems with only 3 partitions (root boot & swap) and one fully encrypted server that has a dozen different file systems mounted. Some systems have hard disks, some SSD, and some both. Most have RAID.

I've previously used LVM with encryption but I'm not currently using LVM so I may have forgotten some important LVM limitations regarding encryption.

Speed/Performance is, of course, relative. On my daily use system I have a 45GB file (in an encrypted partition) that acts as the complete file system for MSWIN7 in VirtualBox. The disk access performance is fine for me for programs I run interactively on it. (Note that 45GB is tight. I should have bought a larger SSD to accommodate a larger VirtualBox "disk".) The main performance hit is not the encryption, but in using a file that pretends to be a file system.

I usually suggest that people test their application & measure the performance for themselves instead of guessing. I think that you'll find that performance loss due to encryption/decryption for most applications is barely measurable.

I don't have any experience with TrueCrypt so I can't compare with LUKS. For my limited use of computers (half of which run 24/7), I've not had any problems with LUKS encryption. {typing quietly so the nearby computers don't notice}

With LUKS you need to backup the LUKS Header in case the originals become corrupted. You can assure that you will never be able to access data on a LUKS encrypted disk by just simply "overwriting header and key-slot area" (from cryptsetup man page). I also store decrypted backups of the data in multiple bank safe deposit boxes.

It's funny that I used to do just the opposite. A couple of decades ago, before all this Internet hocus pocus, the locally-accessed server disk files were unencrypted but the offsite storage backup tapes in locked & security sealed metal cases were encrypted.

-----------

It's easy to experiment. Just create one or more expendable partitions, secure with LUKS, add filesystems/volumes and experiment. Deal with full system encryption later.

2 members found this post helpful.