From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1S7UM6-0007kn-NQ for garchives@archives.gentoo.org; Tue, 13 Mar 2012 16:13:46 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9237AE0BE5; Tue, 13 Mar 2012 16:13:36 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) by pigeon.gentoo.org (Postfix) with ESMTP id D9AD7E0BCA for ; Tue, 13 Mar 2012 16:11:57 +0000 (UTC) Received: from compute6.internal (compute6.nyi.mail.srv.osa [10.202.2.46]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 9819420528 for ; Tue, 13 Mar 2012 12:11:57 -0400 (EDT) Received: from frontend1.nyi.mail.srv.osa ([10.202.2.160]) by compute6.internal (MEProxy); Tue, 13 Mar 2012 12:11:57 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net; h=message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type; s=mesmtp; bh=A7HW1T1s4DuLlYdPCIVjGeED apM=; b=KjbtqlXveR0vtdPb9y0/wRC32eNXWdoII10L++XWkV7VKQml5V+yTMV8 G+oNlghTw8om8s2l4gd/L1Uu0pexABW+iAHC2y8LaE5Sxf33NGv0Doy9fDLF1Yls obhGI15932E4qjOTNIruVk9Bo6MS6TaRRpiGU/5FohUv7S6/Hdg= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=A7HW 1T1s4DuLlYdPCIVjGeEDapM=; b=nmYMqu4AksaZU1+A0o1z67gp9I3UpT7F4Zll iyWEBX20pLFSM24ZkGiO3VqPonkDwk6HQGXyimtGDNW9RClI5tfz84+N5r/IeXie HWaA+F9zsfgbrahtMGWjqRixq0Gt2/fLn/IamxM5v02G9iMseIXHZ9O8GPVnmx1Y lbdjM0M= X-Sasl-enc: tQSzxa+fCIIsOySwj9nXGPVZo3zWDWF4qPi6qe31mepC 1331655116 Received: from [192.168.5.18] (serv.binarywings.net [83.169.5.6]) by mail.messagingengine.com (Postfix) with ESMTPSA id 5A3A28E016E for ; Tue, 13 Mar 2012 12:11:56 -0400 (EDT) Message-ID: <4F5F71C3.6070206@binarywings.net> Date: Tue, 13 Mar 2012 17:11:47 +0100 From: Florian Philipp User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20120303 Thunderbird/10.0.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] hard drive encryption References: <4F5CC6F5.6020303@gmail.com> <4F5CEF0D.5050801@binarywings.net> <4F5F35C1.8070301@gmail.com> In-Reply-To: <4F5F35C1.8070301@gmail.com> X-Enigmail-Version: 1.3.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigDCF1CBE6B4DADEA225EA95B1" X-Archives-Salt: 1b669658-12ba-4d70-8600-68af9d6750f6 X-Archives-Hash: 89d3d6997040acf6de192de42d919b9f This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigDCF1CBE6B4DADEA225EA95B1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Am 13.03.2012 12:55, schrieb Valmor de Almeida: > On 03/11/2012 02:29 PM, Florian Philipp wrote: >> Am 11.03.2012 16:38, schrieb Valmor de Almeida: >>> >>> Hello, >>> >>> I have not looked at encryption before and find myself in a situation= >>> that I have to encrypt my hard drive. I keep /, /boot, and swap outsi= de >>> LVM, everything else is under LVM. I think all I need to do is to >>> encrypt /home which is under LVM. I use reiserfs. >>> >>> I would appreciate suggestion and pointers on what it is practical an= d >>> simple in order to accomplish this task with a minimum of downtime. >>> >>> Thanks, >>> >>> -- >>> Valmor >>> >> >> >> Is it acceptable for you to have a commandline prompt for the password= >> when booting? In that case you can use LUKS with the /etc/init.d/dmcry= pt >=20 > I think so. >=20 >> init script. /etc/conf.d/dmcrypt should contain some examples. As you >> want to encrypt an LVM volume, the lvm init script needs to be started= >> before this. As I see it, there is no strict dependency between those >> two scripts. You can add this by adding this line to /etc/rc.conf: >> rc_dmcrypt_after=3D"lvm" >> >> For creating a LUKS-encrypted volume, look at >> http://en.gentoo-wiki.com/wiki/DM-Crypt >=20 > Currently looking at this. >=20 >> >> You won't need most of what is written there; just section 9, >> "Administering LUKS" and the kernel config in section 2, "Assumptions"= =2E >> >> Concerning downtime, I'm not aware of any solution that avoids copying= >> the data over to the new volume. If downtime is absolutely critical, a= sk >> and we can work something out that minimizes the time. >> >> Regards, >> Florian Philipp >> >=20 > Since I am planning to encrypt only home/ under LVM control, what kind > of overhead should I expect? >=20 > Thanks, >=20 What do you mean with overhead? CPU utilization? In that case the overhead is minimal, especially when you run a 64-bit kernel with the optimized AES kernel module. Measured on a Core i5: time cat Video/*.* >/dev/null real 0m42.918s user 0m0.023s sys 0m2.027s That was a sequential read of roughly 3.5GB with empty caches. This corresponds to the normal disk speed. Regards, Florian Philipp --------------enigDCF1CBE6B4DADEA225EA95B1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9fccgACgkQqs4uOUlOuU9WDgCeJDgkL7jLbk/Q5tYznuz7EudR DtoAmwUvKxGp07sFkbFEh06OtOmxo6RR =nOIE -----END PGP SIGNATURE----- --------------enigDCF1CBE6B4DADEA225EA95B1--