1 |
On Fri, Jun 05, 2020 at 11:37:23PM -0500, Dale wrote: |
2 |
> Howdy, |
3 |
> |
4 |
> I think I got a old 3TB hard drive to work. After dd'ing it, redoing |
5 |
> partitions and such, it seems to be working. Right now, I'm copying a |
6 |
> bunch of data to it to see how it holds up. Oh, it's a PMR drive too. |
7 |
> lol Once I'm pretty sure it is alive and working well, I want to play |
8 |
> with encryption. At some point, I plan to encrypt /home. I found a bit |
9 |
> of info with startpage but some is dated. This is one link that seems |
10 |
> to be from this year, at least updated this year. |
11 |
|
12 |
Encryption is a means to protect against adversaries, but in my case I |
13 |
mostly want to protect from incidental access. My top “use” cases: |
14 |
- I need to send in a broken disk for service/replacement |
15 |
- $DEVICE is stolen and I dont’t want the thief to access my personal stuff |
16 |
- the device needs to be serviced, but has its storage soldered on |
17 |
- protect from recovery on flash storage |
18 |
|
19 |
I’ve been running full-disk encryption with LUKS/LVM for some years now on |
20 |
my laptop’s SSD. I used Sakaki’s scripts to set up the kernel and initrd. |
21 |
The encryption password is entered during the boot process while still in |
22 |
the initrd phase. I don’t know of the current status of Sakaki’s stuff |
23 |
though (I must admit I moved away from Gentoo because portage took to much |
24 |
time on the laptop). |
25 |
|
26 |
On my main PC I used to have ~ on a hard disk and / on an SSD. So I left / |
27 |
unencrypted and symlinked sensitive files such as wpa_supplicant.conf and |
28 |
database files onto a directory beneath /home. Since decryption is done |
29 |
early at boot, there is no race condition. By now I upgraded the SSD and |
30 |
have both / and ~ on it, but I kept the scheme out of laziness. |
31 |
|
32 |
A week ago I got me and myself a used Surface Go (a little X86 tablet) which |
33 |
only has a small SSD soldered onto the board. There is no way to access or |
34 |
replace it. I didn’t want to use the same approach as with the laptop, |
35 |
because I wanted to be able to boot without a keyboard. This meant that PW |
36 |
entry at early boot was no option because there is no touch support at this |
37 |
stage. So I researched a little towards decryption at login. Ext4-internal |
38 |
encryption was a strong contender, because it allowed me to decrypt ~ on |
39 |
login, while still using a shared partitions for / and ~, which would give |
40 |
me more flexibility on the constrained SSD. It also encrypts filenames, but |
41 |
not access times (which I was OK with). Eventually though, I decided to go |
42 |
for more encapsulation and put ~ on a separate partition again. I set it up |
43 |
with LUKS and auto-mount it on login with pam_mount. |
44 |
|
45 |
On a performance not: the Surface Go has an NVME SSD and hdparm -t varies |
46 |
wildly between 220 and 640 MB/s. OTOH, cryptsetup benchark resulted in 1330 |
47 |
MiB/s for aes-cbc with a 128 bit key. Aes-xts was slower, but once I |
48 |
disabled all kernel mitigations¹, its throughput went up by more than 40 % |
49 |
and also reached 1300 MiB/s. And this is for the meagre Pentium Gold |
50 |
processor. So no worries in that department. |
51 |
|
52 |
|
53 |
¹ Many of those vulnerabilities are about violating memory boundaries, which |
54 |
is most relevant for server operators and securing their users from each |
55 |
other. Thus, I don’t care about those on my personal machines and rather |
56 |
have the original performance. Exploits need to get *on* my machines first |
57 |
before they can snoop in my memory. |
58 |
|
59 |
-- |
60 |
Gruß | Greetings | Qapla’ |
61 |
Please do not share anything from, with or about me on any social network. |
62 |
|
63 |
I hate being bi-polar. It’s fantastic! |