Gentoo Archives: gentoo-user

From: Frank Steinmetzger <Warp_7@×××.de>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Encrypting a hard drive's data. Best method.
Date: Sun, 07 Jun 2020 16:44:35
Message-Id: 20200606150711.GA274766@kern
In Reply to: [gentoo-user] Encrypting a hard drive's data. Best method. by Dale
1 On Fri, Jun 05, 2020 at 11:37:23PM -0500, Dale wrote:
2 > Howdy,
3 >
4 > I think I got a old 3TB hard drive to work.  After dd'ing it, redoing
5 > partitions and such, it seems to be working.  Right now, I'm copying a
6 > bunch of data to it to see how it holds up.  Oh, it's a PMR drive too. 
7 > lol  Once I'm pretty sure it is alive and working well, I want to play
8 > with encryption.  At some point, I plan to encrypt /home.  I found a bit
9 > of info with startpage but some is dated.  This is one link that seems
10 > to be from this year, at least updated this year. 
12 Encryption is a means to protect against adversaries, but in my case I
13 mostly want to protect from incidental access. My top “use” cases:
14 - I need to send in a broken disk for service/replacement
15 - $DEVICE is stolen and I dont’t want the thief to access my personal stuff
16 - the device needs to be serviced, but has its storage soldered on
17 - protect from recovery on flash storage
19 I’ve been running full-disk encryption with LUKS/LVM for some years now on
20 my laptop’s SSD. I used Sakaki’s scripts to set up the kernel and initrd.
21 The encryption password is entered during the boot process while still in
22 the initrd phase. I don’t know of the current status of Sakaki’s stuff
23 though (I must admit I moved away from Gentoo because portage took to much
24 time on the laptop).
26 On my main PC I used to have ~ on a hard disk and / on an SSD. So I left /
27 unencrypted and symlinked sensitive files such as wpa_supplicant.conf and
28 database files onto a directory beneath /home. Since decryption is done
29 early at boot, there is no race condition. By now I upgraded the SSD and
30 have both / and ~ on it, but I kept the scheme out of laziness.
32 A week ago I got me and myself a used Surface Go (a little X86 tablet) which
33 only has a small SSD soldered onto the board. There is no way to access or
34 replace it. I didn’t want to use the same approach as with the laptop,
35 because I wanted to be able to boot without a keyboard. This meant that PW
36 entry at early boot was no option because there is no touch support at this
37 stage. So I researched a little towards decryption at login. Ext4-internal
38 encryption was a strong contender, because it allowed me to decrypt ~ on
39 login, while still using a shared partitions for / and ~, which would give
40 me more flexibility on the constrained SSD. It also encrypts filenames, but
41 not access times (which I was OK with). Eventually though, I decided to go
42 for more encapsulation and put ~ on a separate partition again. I set it up
43 with LUKS and auto-mount it on login with pam_mount.
45 On a performance not: the Surface Go has an NVME SSD and hdparm -t varies
46 wildly between 220 and 640 MB/s. OTOH, cryptsetup benchark resulted in 1330
47 MiB/s for aes-cbc with a 128 bit key. Aes-xts was slower, but once I
48 disabled all kernel mitigations¹, its throughput went up by more than 40 %
49 and also reached 1300 MiB/s. And this is for the meagre Pentium Gold
50 processor. So no worries in that department.
53 ¹ Many of those vulnerabilities are about violating memory boundaries, which
54 is most relevant for server operators and securing their users from each
55 other. Thus, I don’t care about those on my personal machines and rather
56 have the original performance. Exploits need to get *on* my machines first
57 before they can snoop in my memory.
59 --
60 Gruß | Greetings | Qapla’
61 Please do not share anything from, with or about me on any social network.
63 I hate being bi-polar. It’s fantastic!


File name MIME type
signature.asc application/pgp-signature