Encryption (Filenames/metadata, what to encrypt, resizing)
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Encryption (Filenames/metadata, what to encrypt, resizing)
I've already decided to use an unencrypted root, either loop-aes or LUKS/dm-crypt to encrypt my swap (I will benchmark to decide), loop-aes/EncFS/LUKS to encrypt /tmp (or I will use tmpfs, since I have 6GB of RAM... any opinions?), and either LUKS, loop-aes, or TrueCrypt for my personal /home. /var/tmp will be an EncFS.
First, as mentioned above, any advice from those with experience on making a separate /tmp to encrypt with traditional methods vs. using tmpfs for /tmp (6GB RAM)? What kinds of operations use /tmp the most (I know optical disc writing does) (this will help to benchmark with/without tmpfs), and to what extent? Same questions for /var/tmp? I know tmpfs will automatically move lesser-used stuff to swap instead of main RAM - does it do this well, and does it adjust how much it does that depending on how much free RAM there is?
Second, I know TrueCrypt will encrypt filesystem metadata (the important thing being file names), and EncFS does since late last year. I'm pretty sure LUKS/dm-crypt and loop-aes also do, but I'm not 100% sure. Is anyone certain they do?
Third, any comments on how I've decided to set up my system? Are there any places I'm missing to encrypt?
And fourth, any info on resizing any of the above encryption setups (on block devices on LVM) would be very much appreciated.
Thanks!!
NOTE: I'm also considering just encrypting everything except probably /usr... it would be simpler, that's for sure. We'll have to see what the damage is in terms of speed.
NOTE 2: I will definitely post my results so others can see when I'm done. I will be running the benchmarks on both a quad-core with 7,200rpm hard drives and an elderly ThinkPad with a Pentium M Banias and a 5,400rpm drive. I'll also do a few quick benches to see whether the differences between file system change when encryption is used.... this'll be "fun".
I'm also asking these questions here, for any reading this that are also interested.
Last edited by Ranguvar; 02-14-2009 at 11:26 PM.
Reason: Add link to another asked forum
My laptop, with Fedora10, uses full disk encryption using LUKS. Only the boot partition (~200M) is in the clear. The OS, user files, and swap are all encrypted. I have no performance issues, works great!
The initial install make it really easy too.. just check "Encrypt Disk", done.
Last edited by JulianTosh; 02-14-2009 at 11:49 PM.
Reason: added some clarification on whats encrypted
LUKS is probably your best bet. I've used it for several years, and I've had no data loss issues, other errors. Its also supported in the kernel, so you can boot from it, and you can automatically encrypt your swap using /etc/crypttab. I'm a huge fan, and those fascists at the RIAA can punt. Also, heres a simple benchmark using hdpart:
Unencrypted:
Code:
[wsduvall@Asar ~]$ sudo hdparm -tT /dev/sda
/dev/sda:
Timing cached reads: 2462 MB in 2.00 seconds = 1231.66 MB/sec
Timing buffered disk reads: 118 MB in 3.04 seconds = 38.88 MB/sec
Encrypted:
Code:
[wsduvall@Asar ~]$ sudo hdparm -tT /dev/mapper/home
/dev/mapper/home:
Timing cached reads: 2544 MB in 2.00 seconds = 1273.18 MB/sec
Timing buffered disk reads: 114 MB in 3.05 seconds = 37.36 MB/sec
Theres almost no difference.
I'm also pretty sure (but not 100%) that you can change your keys in LUKS, even after encryption.
Not bad performance there, but I would think the main slowdown would be with sparse file performance / small file performance? I will test soon anyways.
I'm still not 100% sure LUKS encrypts metadata though... or loop-AES for that matter, but loop-AES at least is faster and *potentially* more secure. The advantage LUKS has is that it is in the kernel, and easier to use.
An encrypted device is a virtual device between the real device and the file system. You mount the virtual device (e.g. /dev/mapper/cr_sdc2) and format that. Everything is encrypted. A linux filesystem doesn't have metadata in the same way that a Mac filesystem does. Directories contain the filename and a pointer to the inode structure. To the kernel a directory is simply a file.
I don't see why one would be more secure than the other, they both use the same cypher. Also loop-AES is not really being developed anymore, at least thats what I understand.
Not to hijack this thread or anything, but when you use luks and you are offering shares via samba (smb). How does the windows PC see the shares ? as being encrypted and worthless or is it transparent. This might seem like a stupid question, but I have though about doing this for a while and don't want to make 900 gigs of media worthless to the other PCS.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.