From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1S7UZh-0001R9-61 for garchives@archives.gentoo.org; Tue, 13 Mar 2012 16:27:49 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 391C4E0BB8; Tue, 13 Mar 2012 16:27:35 +0000 (UTC) Received: from mail-bk0-f53.google.com (mail-bk0-f53.google.com [209.85.214.53]) by pigeon.gentoo.org (Postfix) with ESMTP id DCAAFE0BA3 for ; Tue, 13 Mar 2012 16:26:41 +0000 (UTC) Received: by bkwj4 with SMTP id j4so687080bkw.40 for ; Tue, 13 Mar 2012 09:26:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=HNdLM41PKySH3sTLcdttypCEPe+65BaIkukt7mKyfQw=; b=SEA9Fgy+J0sSZ2l5Wkrx+5MlvFXmUVWyqdy7AGFE45EVQRsD8r3e0C95aaAP0sD1V+ IKjUJXFuaLQ+Eek1icV+00TWD4r0oF0jRZJwF02xIkvAZeqy2+MJ/Nnvqd9aP4Kq/Khi SiqkbpyxA4sIK//5qG3Ci7BjmAI/wOUsxGJImTanbcFYewn0UgoAICfP22d0twWx5hai AaZjoMYHDttokzqHGKlVhUf25BJeU2Jo6CnAsNiBpm4kkhccu94dvDMUKhlEC8QwjjA+ g6ZUreKLtrG2HDpnUn8S9LLfsuT0T2Kc0yUxutiyQLD8NKDWa4RJe60f3Ve2xJLGc+rL V1jg== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.204.10.66 with SMTP id o2mr6566125bko.30.1331656000991; Tue, 13 Mar 2012 09:26:40 -0700 (PDT) Received: by 10.204.168.17 with HTTP; Tue, 13 Mar 2012 09:26:40 -0700 (PDT) In-Reply-To: <4F5F71C3.6070206@binarywings.net> References: <4F5CC6F5.6020303@gmail.com> <4F5CEF0D.5050801@binarywings.net> <4F5F35C1.8070301@gmail.com> <4F5F71C3.6070206@binarywings.net> Date: Tue, 13 Mar 2012 12:26:40 -0400 Message-ID: Subject: Re: [gentoo-user] hard drive encryption From: Michael Mol To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 X-Archives-Salt: d48c55b1-7099-4906-84ad-f2d9df05cb0e X-Archives-Hash: c63c9e1f8131d1da25c625c8ca429bd4 On Tue, Mar 13, 2012 at 12:11 PM, Florian Philipp wrote: > Am 13.03.2012 12:55, schrieb Valmor de Almeida: >> On 03/11/2012 02:29 PM, Florian Philipp wrote: >>> Am 11.03.2012 16:38, schrieb Valmor de Almeida: >>>> >>>> Hello, >>>> >>>> I have not looked at encryption before and find myself in a situation >>>> that I have to encrypt my hard drive. I keep /, /boot, and swap outside >>>> LVM, everything else is under LVM. I think all I need to do is to >>>> encrypt /home which is under LVM. I use reiserfs. >>>> >>>> I would appreciate suggestion and pointers on what it is practical and >>>> simple in order to accomplish this task with a minimum of downtime. >>>> >>>> Thanks, >>>> >>>> -- >>>> Valmor >>>> >>> >>> >>> Is it acceptable for you to have a commandline prompt for the password >>> when booting? In that case you can use LUKS with the /etc/init.d/dmcrypt >> >> I think so. >> >>> init script. /etc/conf.d/dmcrypt should contain some examples. As you >>> want to encrypt an LVM volume, the lvm init script needs to be started >>> before this. As I see it, there is no strict dependency between those >>> two scripts. You can add this by adding this line to /etc/rc.conf: >>> rc_dmcrypt_after="lvm" >>> >>> For creating a LUKS-encrypted volume, look at >>> http://en.gentoo-wiki.com/wiki/DM-Crypt >> >> Currently looking at this. >> >>> >>> You won't need most of what is written there; just section 9, >>> "Administering LUKS" and the kernel config in section 2, "Assumptions". >>> >>> Concerning downtime, I'm not aware of any solution that avoids copying >>> the data over to the new volume. If downtime is absolutely critical, ask >>> and we can work something out that minimizes the time. >>> >>> Regards, >>> Florian Philipp >>> >> >> Since I am planning to encrypt only home/ under LVM control, what kind >> of overhead should I expect? >> >> Thanks, >> > > What do you mean with overhead? CPU utilization? In that case the > overhead is minimal, especially when you run a 64-bit kernel with the > optimized AES kernel module. Rough guess: Latency. With encryption, you can't DMA disk data directly into a process's address space, because you need the decrypt hop. Try running bonnie++ on encrypted vs non-encrypted volumes. (Or not; I doubt you have the time and materials to do a good, meaningful set of time trials) -- :wq