Encrypted partitions (LUKS) or loopback files (cryptmount)?
Conundrum:
I've had two large, 100 GB LUKS encrypted partitions for a few years. Both are backed up to an external HD with partitions that mirror those in my computer. This arrangement has worked pretty well for years.
These two LUKS encrypted partitions are on the same disk and they are split in two for historical reasons. I used to have 2 80 GB hard disks, now I have one 320 GB hard disk. The current organization in two partitions reflects the old organization, in two disks. I could change that now, but I have other questions on my mind.
I just ran into something called cryptmount. It is interesting. It can encrypt partitions as well, or it can create loopback files with file systems in them. Encrypted file systems, of course. So now I am thinking:
- Should I merge those two large LUKS partitions into one? On the one hand, having them split seems more manageable in some circumstances, e.g. I could save them in multiple smaller disks if necessary. On the other hand, there could be situations when I need to store something very large which won't fit in the free space of either partition, although it would fit in the sum of the free space on both partitions.
- Should I migrate all my data to smaller cryptmount volumes? AGAIN: On the one hand, having them split seems more manageable in some circumstances, e.g. I could save them in multiple smaller disks/partitions if necessary. On the other hand, there could be situations when I need to store something very large which won't fit in the free space of any single partition, although it would fit in the sum of the free space on all partitions.
- At least one directory has been converted to cryptmount because of on-line backups. I change or add content to that directory very often and it is so important that local backups aren't enough, I feel better having a couple of copies "in the cloud" as well. I used to tar.gz the directory, encrypt it with GPG and send it to two remote locations, but my Internet connection is too slow. It always takes too long. Now I see that rsync will update that data VERY fast with the --no-whole-file option if it is a cryptmount volume. I am not sure that trick will work well with a GPG encrypted tar.gz ball, I suppose GPG+tar.gz will result in too many changes that will force rsync to update much bigger chunks of data.
- So cryptmount loopback files work very well for this kind of remote backup, but should I migrate my 2 large LUKS partitions to cryptmount files? Why? Why not?
- Another thing to consider is that LUKS partitions have the key contained in themselves, whereas cryptmount files require a key in a separate file. I am not sure I like that, sounds like a liability to me. I will have to protect those keys both from attacks and from being lost. How? Keep them in a LUKS partition? Erm, that kind of defeats the whole purpose of replacing LUKS partitions, doesn't it?
Any thoughts, please?
Last edited by lucmove; 04-11-2011 at 04:36 AM.
|