1 |
On Sat, Jun 6, 2020 at 3:49 AM Dale <rdalek1967@×××××.com> wrote: |
2 |
> |
3 |
> Thanks for both replies. I found one other Gentoo one but it was encrypting the whole thing, /boot and all, plus they used efi. I didn't find the one you linked too. |
4 |
|
5 |
The Gentoo guide that was linked uses an example of encrypting a partition. |
6 |
|
7 |
This is just block device layering though. You can probably stack |
8 |
them anyway you want as long as the various services/etc are set up to |
9 |
load in the right order. You could encrypt the disk and stick LVM on |
10 |
it. Or you could stick LVM on the disk and use LUKS on the logical |
11 |
volumes inside. |
12 |
|
13 |
Usually you want the encryption as close to the disk as possible |
14 |
because if somebody gets your disk it gives them less to work with. |
15 |
They don't know that you have a logical volume called "home" on it, |
16 |
and so on. |
17 |
|
18 |
Some more recent filesystems have encryption built into them, like |
19 |
zfs/etc (well, the most recent version). There can be benefits to |
20 |
doing it this way as the filesystem might be better able to cope with |
21 |
data corruption if there is some problem later. |
22 |
|
23 |
However, you can always stick dm-crypt/LUKS/etc on a physical disk and |
24 |
then just treat the resulting block device as if it were your disk. |
25 |
dm-crypt itself has very little overhead. |
26 |
|
27 |
As you pointed out, the main thing you do have to be careful about is |
28 |
/boot. As long as you're using an appropriate initramfs you can do |
29 |
just about anything else after that, but your firmware isn't going to |
30 |
go prompting for your LUKS password/etc. |
31 |
|
32 |
I should mention it for completeness, but I don't recommend this: you |
33 |
can also use ATA security with a password that unlocks the hard drive. |
34 |
In theory the drive should be encrypting its data when security is in |
35 |
use, and it makes the drive inaccessible without the password. The |
36 |
problem is that this is generally not audited by anybody and you have |
37 |
no way of knowing what the drive is doing or whether it is a secure |
38 |
implementation. But, I mention it for completeness, because it can be |
39 |
done on Linux. |
40 |
|
41 |
-- |
42 |
Rich |