I've already decided to use an unencrypted root, either loop-aes or LUKS/dm-crypt to encrypt my swap (I will benchmark to decide), loop-aes/EncFS/LUKS to encrypt /tmp (or I will use tmpfs, since I have 6GB of RAM... any opinions?), and either LUKS, loop-aes, or TrueCrypt for my personal /home. /var/tmp will be an EncFS.

First, as mentioned above, any advice from those with experience on making a separate /tmp to encrypt with traditional methods vs. using tmpfs for /tmp (6GB RAM)? What kinds of operations use /tmp the most (I know optical disc writing does) (this will help to benchmark with/without tmpfs), and to what extent? Same questions for /var/tmp? I know tmpfs will automatically move lesser-used stuff to swap instead of main RAM - does it do this well, and does it adjust how much it does that depending on how much free RAM there is?

Second, I know TrueCrypt will encrypt filesystem metadata (the important thing being file names), and EncFS does since late last year. I'm pretty sure LUKS/dm-crypt and loop-aes also do, but I'm not 100% sure. Is anyone certain they do?

Third, any comments on how I've decided to set up my system? Are there any places I'm missing to encrypt?

And fourth, any info on resizing any of the above encryption setups (on block devices on LVM) would be very much appreciated.

Thanks!!

NOTE: I'm also considering just encrypting everything except probably /usr... it would be simpler, that's for sure. We'll have to see what the damage is in terms of speed.

NOTE 2: I will definitely post my results so others can see when I'm done. I will be running the benchmarks on both a quad-core with 7,200rpm hard drives and an elderly ThinkPad with a Pentium M Banias and a 5,400rpm drive. I'll also do a few quick benches to see whether the differences between file system change when encryption is used.... this'll be "fun".


I'm also asking these questions here, for any reading this that are also interested.

My laptop, with Fedora10, uses full disk encryption using LUKS. Only the boot partition (~200M) is in the clear. The OS, user files, and swap are all encrypted. I have no performance issues, works great!

The initial install make it really easy too.. just check "Encrypt Disk", done.

Does LUKS encrypt filesystem metadata (filenames)?

Bumper.

not exactly sure what you mean. LUKS is a whole-disk encryption system so everything gets encrypted - filenames, data, etc.

LUKS is probably your best bet. I've used it for several years, and I've had no data loss issues, other errors. Its also supported in the kernel, so you can boot from it, and you can automatically encrypt your swap using /etc/crypttab. I'm a huge fan, and those fascists at the RIAA can punt. Also, heres a simple benchmark using hdpart:

Unencrypted:
Encrypted:
Theres almost no difference.

I'm also pretty sure (but not 100%) that you can change your keys in LUKS, even after encryption.

Not bad performance there, but I would think the main slowdown would be with sparse file performance / small file performance? I will test soon anyways.

I'm still not 100% sure LUKS encrypts metadata though... or loop-AES for that matter, but loop-AES at least is faster and *potentially* more secure. The advantage LUKS has is that it is in the kernel, and easier to use.

An encrypted device is a virtual device between the real device and the file system. You mount the virtual device (e.g. /dev/mapper/cr_sdc2) and format that. Everything is encrypted. A linux filesystem doesn't have metadata in the same way that a Mac filesystem does. Directories contain the filename and a pointer to the inode structure. To the kernel a directory is simply a file.

I don't see why one would be more secure than the other, they both use the same cypher. Also loop-AES is not really being developed anymore, at least thats what I understand.

Not to hijack this thread or anything, but when you use luks and you are offering shares via samba (smb). How does the windows PC see the shares ? as being encrypted and worthless or is it transparent. This might seem like a stupid question, but I have though about doing this for a while and don't want to make 900 gigs of media worthless to the other PCS.

The OS will present a decrypted file system to samba.

Thanks, I figured as much but its better to ask then to be sorry later for not asking