From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 0938F1382C5 for ; Sat, 6 Jun 2020 13:32:10 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 11621E099F; Sat, 6 Jun 2020 13:32:03 +0000 (UTC) Received: from mail-wm1-x344.google.com (mail-wm1-x344.google.com [IPv6:2a00:1450:4864:20::344]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A67F5E08FC for ; Sat, 6 Jun 2020 13:32:02 +0000 (UTC) Received: by mail-wm1-x344.google.com with SMTP id r15so11721443wmh.5 for ; Sat, 06 Jun 2020 06:32:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:autocrypt:message-id:date:user-agent :mime-version:in-reply-to; bh=2oHMGzo7Tns9D7a1HcYnF9gN0yy3lQrFjtLxT5CxdXY=; b=LFG9tcCSPHNdS4BaiZj06tLBbouXOKHBE54ccVxOSBfZ6FiwaumMES6alDxfWi1UkZ sUgYABT4AqX0yzrra9kKu6VGhwhMBcVpXU6m41HMBkooy1G3qlPmJSQYA2gW7gbnf+gn twgYRm3k6STDzoHMzTCAeJa198qOyiVwq+BbgW57cqIzfTEXYGfbdoAxrsjcBjE7Wt+Q WEu4k2jPv4OnsrK751d66GbojO+DKKeQF7mxTT8bJHNzNALVcWQcEa+Fq/kec49ju6Q4 g9Or1hhY4J8qMlG86ZS8T0rdYd/c2RkAqERnNjR+6wyt1g3KYcX1A81NLlGC/K6aCQue 7ALg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:autocrypt:message-id :date:user-agent:mime-version:in-reply-to; bh=2oHMGzo7Tns9D7a1HcYnF9gN0yy3lQrFjtLxT5CxdXY=; b=EC//O4U+inRgfd7yEbM88UbC4bSbnKe4sIoio2QwnUGTW7s7fkHq1lN9v4wz24cZUg ORRa2SPngzgyXQpkr5yOp0PRkYAqnv4X/r1jgs3RVc/5DvPKZlFKcJ4BaX8YJmpg5iRw 9dAw/qI/fEm2jtf+aFEFp1m9sS+pPoKxucTJ6kLbiMGPAlB21UkvRtoRbphA9mWAZ3Mp RWbbsWjGydZCPu2MMgdePFGk25dmLo6sKxsNJSF0HAUIr4GzjxP+/c8xB+qgcGSa7CDv 2G8Qq7xySK3SFIpktW8Q8L1YNB2gNkOvKklmJzx8h1Ngbd5/FApFb5F///CCSMdGHWmZ 1mBg== X-Gm-Message-State: AOAM530dy+ankMigtmMTLS8hhqkgEsiKDKx4kheQWqLJr7QeAEEC8DCV zFQFOPx31ymbPcTvWMh2ZNia2lfqDQE= X-Google-Smtp-Source: ABdhPJw+N3N8C5kc+Lsk9InkACzWAAB6vLka3K9YP0F3wMq3c0wSFLl/ClIa6oljLc+vkHfwz0fwkw== X-Received: by 2002:a1c:df57:: with SMTP id w84mr7960060wmg.52.1591450320517; Sat, 06 Jun 2020 06:32:00 -0700 (PDT) Received: from [192.168.0.64] (cpc148898-sgyl44-2-0-cust897.18-2.cable.virginm.net. [82.34.183.130]) by smtp.gmail.com with ESMTPSA id k21sm17116824wrd.24.2020.06.06.06.31.59 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 06 Jun 2020 06:31:59 -0700 (PDT) Subject: Re: [gentoo-user] Encrypting a hard drive's data. Best method. To: gentoo-user@lists.gentoo.org References: <12F6F6AC-B646-4638-8349-BD5B9DB51B5E@antarean.org> From: Victor Ivanov Autocrypt: addr=vic.m.ivanov@gmail.com; keydata= mQINBF3g/JMBEAC4yM5z5iFHFBU8Zf92ZRB+6uH3ipSWXBYpP+23cdjXO0CFYnUykGSwzYb4 y0/nL1r5FDiNyciRb00QorIHqgi32yzTxApDEb12Bt0xOp8fbSIgEQcwU63Ig7IxQ4PRT5Wd dXdwvtU2ZntcrtDLaRM7ukjqlistrZQGWfHfuGW/7clD8huRVGywHSxFlkupfwVPzxjTQt1T KUs0zsbl4pmXgXfCtQT1t5I9XgJ3gjsh1k0iHaoTubdJwEhukeTNMOIDQACU17Bw/M0ZB70x TRpweOmXOGvEgX9JJQsNnllfo+Uq9vZ2YARc/T576YPNDbeMT6ili/Td81r7gjYGHF7vHaGr 8nWl6qp1/saqMaIlRrg+cpbmMx/p6NrbunYUq4uG73cYE4vW7IesvPqyFNRpYOpO2k482BJn WjsUlN7WqSMvBSVelxOzAAliieUbVft6YfqrLcm17W0fsxIse3i19u/qYP1eWIzHYNy+4rsr S8MIvHlEdL+2cvyPDzKv57G5Vo1sfBp8tkAcBEbYBVM8YLm6UU5nPFJxhy4Hly0MzYaPfsuy Le4D3VcjdLtXRVqISNnpgIjqnnPNuNcQf2e0olEKyv34I1Xd/th/2OozLdmSzaooyzI1fs1Q wbUC2Tpmi5oxlCXOw3HwJ/V/GhOGYtr9lA2AaouoqGf9xKCZxwARAQABtCZWaWN0b3IgSXZh bm92IDx2aWMubS5pdmFub3ZAZ21haWwuY29tPokCVgQTAQoAQAIbAQUJAeEzgAIeAQIXgAIZ ARYhBIsM+jNKfukNfT85Q22UeoIMUN1ZBQJd4P/nBAsJCAcFFQoJCAsFFgIDAQAACgkQbZR6 ggxQ3VnWYRAAlXiNLrRWlDn5I1sm753dxjaN4Yzlfx3wS1NdLM7/v1A44R3wCEzKOiB9oP6Y OqCJOxDeFnWsFZNVM2NcAvgF7py0Wo9/k2Kj4ZG4LCnrYLHlYI6lks0kqubiIKBdeCMpgR2/ AuU0xjUgtGur/TH6VIL5omA0NK4psPnUe/Lomfim6J18++oROhXoekZ3TkHwdt2aB7Cl1iOf N5scJWvkG+vapmtSN5A3vwFda+Uf1PG8SgZOtlmnlrLGUnvPcUKtcCO6m7dZZPfboY9jusG9 IOCZxrexHYbo0zqSaKoaU0TBqFmVO+9jddqC5japWQnuw5THQ/ehC4UJrWovYEeJtpo8lAsE gP0CImo5p5zM7JmntvXO5N9R3hnX1GQnBU0kKL93uQj6pTeY5S7SSdO8nEKGQzuulB4vRMpS RWlSA+g5Z3NLKnslq1gs9f4mtooGXj/6SShKE+lLVPpPGfkUElhzGfkLMgH/pGRsoFUFDzbG YXDxCxat8v9OCo3hpR9ouKWoxj1jDRoc98AufN22giInaWYtn9CBWfNuamvXlXgk9/oSI9fQ hWBKs0t8xdXsmdFEakrR6DVjuPKGGe9Wm2aRd4rdI8pQanNTW3SmIS5nMvbPJ4f1z5N6joc1 BIcNv4VWz8nZApPpCsw/TZMcqxOkxaDhi1Tgf06LMWIN+6S5Ag0EXeD8tAEQAPWvRL9eauw+ GTBmhmUJ6KY2IjxJi67VEAFar+CZwe8py3UI5CIoZEBjifYEC43hV6i34VrE3CBu6uVmjF69 AeBAd93K1kXvmXcCAaxbzh3xLr7OynR5fc0rliJCtqQ+l1PHbcH8zPcgNX1P57wnXLBrd6H7 p/Zfpn1uVlVwzZG4qtOuT833EbdvFhu1NvYrzwoY4rTgUqeZsNXkaVI9g6fp2GsMV3lHNzI0 TuRfr3ATtkHIvgkr9uLDYiFexu1hzlsVfckTn0XP21CjWOtMB/gbkoue2CGyFcGCstsx0aeY t3JCnWdv93LRNRm30VQmOaxrCBRCCAQWSIzuW8s290iWv7jTZYj1V3QLauHBybUSVhwiqpRq SnGEkFdEnlKMGo2LwodyMRou1iOxP0MSXJCrGdDz2uaPMC6ZrTH8ExZIdmWzpI3bMosAK9A1 0Vnmz2GbmZMFWS1Gkel0adICH5sQiqjRTElv6s35f81B+bft095zfzU72Nur0aj418RKucra WyJIE4sNgkNFTKe+61nw2XcX+n2Tp/qXnctc2FC3Qxjp0I96Ef/dV0OXa1hkwCfiJqRAe7cG EIhazh74y1DjjXyzSNl1CKOmeYjE4tUcjQ0mRPJTkTsarTUYBev4yZtYYQKFsTpPVT2GpL4g /9Rzg1JGPxWJwJCz/QUwNTGXABEBAAGJAjwEGAEKACYWIQSLDPozSn7pDX0/OUNtlHqCDFDd WQUCXeD8tAIbDAUJAeEzgAAKCRBtlHqCDFDdWTTND/9VRrwI13C4UC2tZx0DCVvFKqGsyd7h nfsGMnM1hcOaUUyRUrpaoTYIc59mVuTnIg5b1LuUkvFFm50uq5pK2E9VxtAi3T/qlTIoe3zX pavMMOj67p3+fWp1zz+UBoUvZEzsYtOzhAEsBSEoUxDY5bxrPlj5KGLXm6YjWvlo4jjbwaAk N113TP0koaIWbCvaz+GNVHuZ0/s9lQwydIpbGdpZ4KuDohA7SadJtV6Z9aPYo9sybY5iX/FT 6/0AF2IvBfuiVbLpIgsI/aYEA5ROIHe2DqzWtRUOfydSPUKb+4U+NzgVwpOMAc3p55kv3V3h HSdgnebVPlLLCtRgAVnYAyo99MOAeXcmM2PRn5pSwX/etId4uPXA9N+c08F9vl2cpqg2oGaO jsd4ZFmhd//g7nUpNDzqZ5h7bx7ztgn/srjO2BfOF53HrzjYjDOqE1mUfTTQhIxweW+3+vRo AgDNJgkMHYcDBOabzqwliWEATlY8TBsCi7ATajX1wk8ZP4VvtIHFMjNc//MumZb5VEe/VwmC l1SNCeVioy3Smm76NApPT7EEvrEtoKEeJXKoBJwoErkQkuccEkGpkhuaDupeXcrm4cqknHLB b106Qm69jTl/8xRqLreSxTz/vPxEAFdf1S0XXwXd3RHHi2DBYdQ/dlHzJF5aWtOr+WADz/iT 07V84bkCDQRd4PzOARAAxf3teIWCgoqYmwfEsZgDoXn8LIz8eL93D2LBnW4tikQUESFvF1V7 +BASk8cfbwgq2Rw+M87ITBZWcQ2pRcaImZc0MBP1Yb5TrAd6YuImQfHY2rkdw4B2NI4PCx5i mEdtHF0fAc7kOp0slNHrg3NVKj+1YIz3YMaHnSxPxe3c0kcDRyGdgfpJXsT6XeMqana/QGgR zo/i1NFeOcAVChwD/qCUTSVJcIeFCSah5XXUPrxdeEi8YUl7WlXtb+enOof/2LCz3dYG6vOn Hmn6M+Tw7VowLtC3plg6NmtM+9S3905DBxg2tFYtoE6RfzDmIJOoFZH8CqH920nQmtE7jN7R gcuMV/+RszfyT6q12XAS+/R/no2+MuaEtFKazfP7IYA3KHLsGzxlex3LJKPQLiKSFi68Jbgl yJXskxwCuJN5YLClFlnkVmXuuZ7DVk5dTTnc7eTVSaU09fAy7llz/Iva4KVpH5jxl8qJYdkG WiJkcBJ9Zk+oNhuoKwMc1jOveaRzzfBKU4NGCMYiCxtiGUXfH8EgDryUxcaUE3EmcA/RGUM1 hL81awOOQXR4mzhjyAzakFiJsu+qOv7R8qyl4aJ5ZVk4mDV8f0Ds5DlWngf6gTkl/AsDIuvE 5DpeG3H4IBCHCmjoaWNHouI6DdWkA42GpvFpEkcr6QT8yxceqsD+2ZMAEQEAAYkEcgQYAQoA JhYhBIsM+jNKfukNfT85Q22UeoIMUN1ZBQJd4PzOAhsCBQkB4TOAAkAJEG2UeoIMUN1ZwXQg BBkBCgAdFiEEKFZblUJabdsjGSQvxx0QR+MZjnMFAl3g/M4ACgkQxx0QR+MZjnOHBw//e2BK d+FPZihrgdB1dpBGS5C16v+GxC5VmIQ3ldifxXch+mLE1qQ6b3PINdkQsd1WKZ7fPiHyFoYq 0DA0LZZ4LIBI61MauWO5b7j8OEZR/ik/+dV+hvoxnBnTtVd2eBQoKp2GNBw7GiLmt6jr/uW7 LY2uD+zQgV+L38MfGEkwd4+keZIRR3+jl69/jvGHub9SOKJ07GyfDhaXm83GufXCdw0Wli8f pqLGL06pfmSZFiQ3LtPQqB+X5DpAljbqGV661RZR1DiQa6NlUcqqVRw1pytWN29WzbNyKz3W zu7jeTRd1M+XtBoY6g69cCeu4ITr7nFNyckoKu9djZLIfuaLRYUeWxgM9eYezmz1N1S3Y+E6 QwAaWdajioSZeWvsTJU1rMCTgWlJSQlYog0LlbKskccvVDilV9cE4Wq05r3G7bkt4q/uGuxl jCtJzLp0FewOID9cyMqLKDwQ4LnKKjTtNDX7O4B/SWJSncErFJcVkTQQAQix1FCuXfjFbOmr LCDigES5hiRA3Cge+bhwYn/Q+nQCvF+cE9Ohl0pf4RPZ+78kwKzeavnoUiDJ6Vbgqag/OsdE w2VnxWldmWbtFVGSHh7P7Kqz4NwNyQFasm6jZypE3kV9TbTaGcWQlq1fLRIlWsARvXYAKE/c LaGW0oZNBSm/CpGgXxhmkeyosmggNRQRoA/7BoMl42Sn46DfTMhH0TwptsAAFjX488nBhPQL bqxVzq5yO52CTeRafMmtx873JMlh7u14pP59AqUeYgUqp9Wyg8erLV6CKa4Xll5cj22w9OhH xJ0G8cxPIbZGrc/8/z4Mr6AHfT8DgZ2Ez5siU6IuygM7YTMQjzGGJPqDWcQrf/37NuVd+sFt oj008BxqpBD8kQ7+jV5rR/o6FJ2CGebjouJTaTcPIIdsga0ych1RYiTioh1OPuj34YYf6I+B xqJGCd084m/EdP6zDvJVLDxkOMuMGpVSwWrDQcDWBSd1/AfzQmyC9tsYLoxrFYYDNPXp/QxS LT+yz0T2p2JRuZDMGCyLGRO3YLQATJQgPLkpHrZR5coSliuVeUG68iX/55h/dop613g1rdzI seOkJqSC02DVP7kF2E7QHDMxLpCDnsmomlW7uul/d+yF6oDjCuLSAlngVBVkVwl6NIrcSkuh em9Y0+2X9tAVTAdc0V2Ctt7p6stGEBx7RFEimpwKubXpUQ/OReiTr2IxpMj6o4lFoHKL9heA C3YTpJnOGV00jLPhjOgEqWxLmnRmM8E3wtgLGfItoAjDN8U/qdNVoRpWfFO/rPOEugvT31rE MTVdmb4EJtRvDHLGUQ6JeHMm/ftBJokS2bO8HDjslCXQ02I3wl/rZzbKQisstJwRqVM5TJk= Message-ID: Date: Sat, 6 Jun 2020 14:31:37 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="gkOLlV44k1CdhkP5fFF1trqOYdbQZPviD" X-Archives-Salt: 8553fb12-89c0-4993-a071-4bad346f7a46 X-Archives-Hash: c4945052ffe9a75f32ae9decd74d4ea2 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --gkOLlV44k1CdhkP5fFF1trqOYdbQZPviD Content-Type: multipart/mixed; boundary="fuAquBm7mBMT8SUp9Cw3bHQo5FcbLu9D0" --fuAquBm7mBMT8SUp9Cw3bHQo5FcbLu9D0 Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable On 06/06/2020 12:05, Rich Freeman wrote: > Usually you want the encryption as close to the disk as possible > because if somebody gets your disk it gives them less to work with. > They don't know that you have a logical volume called "home" on it, > and so on. I concur with Rich on this. One of the key considerations for encryption is how much is it that want encrypted and what metadata are you willing to have publicly visible. As an extreme example, you can think of the simplest form of encryption - on a per file basis. Contents are encrypted, but things like file name and size, creation and modification timestamps, filesystem directory tree are all available to an imaginary adversary. One can further deduce information about the file by its extension, and use all of that to come up with a good attack strategy for decryption. In other cases, contents may be irrelevant to an adversary, as they can already infer a lot about a person - if that's what they are interested in - from directory listings etc, depending on what they are looking for. Filesystem-based support for encryption will inevitably leak some metadata. On the other extreme you have block-level encryption which hides all contents, including filesystem information, for a given block device. With multiple physical partitions, however, this too can leak a degree of information. For example, it would be reasonable to assume that the largest partition is a person's "storage" partition. So attempts can be targeted at that block device, ignoring all other ones. It's also cumbersome to manage as unlocking multiple block devices would require multiple password entries unless a common key file is used. Michael mentioned CryFS which is kind of in the middle. It's an "overlay" filesystem, anything within a CyFS volume is encrypted into fixed-size (e.g. 64KB) block files. This includes file names and all file meta data, directory structure, etc., and all encrypted content can be interleaved across different blocks. However, depending on the size of the average files you have, it can have a significant overhead where contents of the encrypted CryFS volume can be considerably larger than the actual contents of your encrypted data. This can addressed, to a degree, by playing with the block size. Smaller block size will reduce overhead but will increase the number of block-sized encrypted files on the actual filesystem, which can eat up a lot of INodes. The downside is, the block size cannot be changed once a CryFS volume is created, and neither can the password. These require creating a new CryFS volume and migrating your files. As such, my personal view on the matter is that CryFS is usually good for small volumes and is indeed very good for securing content on cloud services like Dropbox that do not normally encrypt your data. Personally, I have been using LUKS and LVM for many years. On OS-bearing drives I would have a non-encrypted /boot partition for the kernel and initrd whilst the remainder of the drive would be a LUKS encrypted block device - two partitions in total (3 for a GPT system). Within the latter, I would create LVM partitions as I desire (including OS root). LUKS has 8 slots that can hold up to 8 passwords or key files (or any combination of both) at a time. This set up is pretty much zero-leak. For an external drive I would use LUKS across the whole drive. Note in the former case the /boot partition is still vulnerable and a compromised kernel image could lead to a leaked LUKS password once the LUKS block device is opened. Signing the kernel and its modules is one possible solution. At the end of the day, which method you choose is based on a balancing trade-offs and likelihoods of an attack. That said, virtually all modern processors in the last 10y or so have native hardware extensions for accelerating common encryption algorithms such as AES. As such, having full-disk encryption has very little performance overhead on read/write speeds. You can use "cryptsetup benchmark" to see upper bound estimates of read/write speeds. The values shown are in-memory estimates and are thus CPU/memory bottlenecked. For example, on one of my systems with a mobile i7 CPU AES with 512b key (maximum supported by LUKS with AES) shows about 2,000MB/s for both read/write. This is more than enough to saturate a SATA3 drive's 6Gb/s best-case data rate as well as a lot of current generation consumer grade NVMe drives. In summary (and final remarks): * Performance overhead these days is largely irrelevant for common use ca= ses * Use case (e.g. cloud storage or local drives) and what is left behind unencrypted is a key consideration when choosing a method. * Generally, block-level encryption is preferable to filesystem encryptio= n * LUKS is Linux-specific. If cross-platform compatibility is required this won't be a good choice. Then again, so is LVM. * TrueCrypt is obsolete - do not use this if you can avoid it * VeraCrypt (its successor) is cross platform. Probably a good choice for block-level encryption between different OS [I haven't personally tried this]. Hope this helps. - Victor --fuAquBm7mBMT8SUp9Cw3bHQo5FcbLu9D0-- --gkOLlV44k1CdhkP5fFF1trqOYdbQZPviD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKFZblUJabdsjGSQvxx0QR+MZjnMFAl7bmsEACgkQxx0QR+MZ jnMDaQ//dL8ZRAAk/8Na1IT5VBOUnCfw5wKFfPJ0uK6b82CRL/MoRNqgwSymKONH crDjJKcoKjfkPliMh0ieM5GGNkfl/wbpE31x9IeKLqRcexZIbXypTlRJvntvBA8h +0d0LT1dCTfdPv2td7gefPfcgieamFqJsGgNBrxgVPWgXG4edevkSTI1R6yXeJm6 k1aj/rXeI9WZ7FU5O63jRCubaP0BgRkaSLbHxCI9xToQQA1GTzskcla+dV2+AtPB 3HC3UXwX2SPYEB3zbnM8gnlZPF8AQxhL279wbhI/IVEO/8ZtNMCjnuuqnrqO+BZs H+k7Js1NWNrr5fSewYyWuyJ1NUuAYZUk6aBF6sX1spXBZLWZVUdQiwoWs22rX3zI bfIyrfHpM2qvZPrSvtsyDhIJoxLyknSYD+aGTjUy9GuGsqcn68gAdSutZZlv7w9i F0EzBmsqg+ksj+VuK8sX+5eNotI5bYvRIVIn4SEfuQxFUuIxRF9/xFX8Ms8bbcYo z+wYT0E/1+JW4qXB+Cq/C/MRfaNoRPMQAtFnkgtVn2ja+c4hcC+IPGJWiUXdDmJw n1Wzb62PRlMrtWyjC/8/+kmzUaIo96o79CTB5Bt5XEln8LmbP53nSSkH4okehqWU vNjtB7MbY5CPWwwJFwE9epjFfzzNIKV7t3BsdeJ/Y9d5GeZrtzI= =VmIf -----END PGP SIGNATURE----- --gkOLlV44k1CdhkP5fFF1trqOYdbQZPviD--