| 1 |
On Fri, Jun 05, 2020 at 11:37:23PM -0500, Dale wrote: |
| 2 |
> Howdy, |
| 3 |
> |
| 4 |
> I think I got a old 3TB hard drive to work. After dd'ing it, redoing |
| 5 |
> partitions and such, it seems to be working. Right now, I'm copying a |
| 6 |
> bunch of data to it to see how it holds up. Oh, it's a PMR drive too. |
| 7 |
> lol Once I'm pretty sure it is alive and working well, I want to play |
| 8 |
> with encryption. At some point, I plan to encrypt /home. I found a bit |
| 9 |
> of info with startpage but some is dated. This is one link that seems |
| 10 |
> to be from this year, at least updated this year. |
| 11 |
|
| 12 |
Encryption is a means to protect against adversaries, but in my case I |
| 13 |
mostly want to protect from incidental access. My top “use” cases: |
| 14 |
- I need to send in a broken disk for service/replacement |
| 15 |
- $DEVICE is stolen and I dont’t want the thief to access my personal stuff |
| 16 |
- the device needs to be serviced, but has its storage soldered on |
| 17 |
- protect from recovery on flash storage |
| 18 |
|
| 19 |
I’ve been running full-disk encryption with LUKS/LVM for some years now on |
| 20 |
my laptop’s SSD. I used Sakaki’s scripts to set up the kernel and initrd. |
| 21 |
The encryption password is entered during the boot process while still in |
| 22 |
the initrd phase. I don’t know of the current status of Sakaki’s stuff |
| 23 |
though (I must admit I moved away from Gentoo because portage took to much |
| 24 |
time on the laptop). |
| 25 |
|
| 26 |
On my main PC I used to have ~ on a hard disk and / on an SSD. So I left / |
| 27 |
unencrypted and symlinked sensitive files such as wpa_supplicant.conf and |
| 28 |
database files onto a directory beneath /home. Since decryption is done |
| 29 |
early at boot, there is no race condition. By now I upgraded the SSD and |
| 30 |
have both / and ~ on it, but I kept the scheme out of laziness. |
| 31 |
|
| 32 |
A week ago I got me and myself a used Surface Go (a little X86 tablet) which |
| 33 |
only has a small SSD soldered onto the board. There is no way to access or |
| 34 |
replace it. I didn’t want to use the same approach as with the laptop, |
| 35 |
because I wanted to be able to boot without a keyboard. This meant that PW |
| 36 |
entry at early boot was no option because there is no touch support at this |
| 37 |
stage. So I researched a little towards decryption at login. Ext4-internal |
| 38 |
encryption was a strong contender, because it allowed me to decrypt ~ on |
| 39 |
login, while still using a shared partitions for / and ~, which would give |
| 40 |
me more flexibility on the constrained SSD. It also encrypts filenames, but |
| 41 |
not access times (which I was OK with). Eventually though, I decided to go |
| 42 |
for more encapsulation and put ~ on a separate partition again. I set it up |
| 43 |
with LUKS and auto-mount it on login with pam_mount. |
| 44 |
|
| 45 |
On a performance not: the Surface Go has an NVME SSD and hdparm -t varies |
| 46 |
wildly between 220 and 640 MB/s. OTOH, cryptsetup benchark resulted in 1330 |
| 47 |
MiB/s for aes-cbc with a 128 bit key. Aes-xts was slower, but once I |
| 48 |
disabled all kernel mitigations¹, its throughput went up by more than 40 % |
| 49 |
and also reached 1300 MiB/s. And this is for the meagre Pentium Gold |
| 50 |
processor. So no worries in that department. |
| 51 |
|
| 52 |
|
| 53 |
¹ Many of those vulnerabilities are about violating memory boundaries, which |
| 54 |
is most relevant for server operators and securing their users from each |
| 55 |
other. Thus, I don’t care about those on my personal machines and rather |
| 56 |
have the original performance. Exploits need to get *on* my machines first |
| 57 |
before they can snoop in my memory. |
| 58 |
|
| 59 |
-- |
| 60 |
Gruß | Greetings | Qapla’ |
| 61 |
Please do not share anything from, with or about me on any social network. |
| 62 |
|
| 63 |
I hate being bi-polar. It’s fantastic! |
Archives