* [gentoo-user] Kernel encryption options and veracrypt
@ 2020-03-25 13:17 Dale
2020-03-31 8:23 ` Adam Carter
0 siblings, 1 reply; 3+ messages in thread
From: Dale @ 2020-03-25 13:17 UTC (permalink / raw
To: gentoo-user
Howdy,
As some know from another thread, I installed and started using
veracrypt. It has the option to use the kernel encryption tools but
they are not enabled on my kernel, just the default stuff. I found what
I think to be the ones veracrypt wants to use but was curious if I
should enable some others that are commonly used. For all I know, it
may make my web browsers faster or something else I'm not aware of. I
may one day encrypt my /home or something too. I'm not even sure what
tools that would require but I've thought about it. As I mentioned, I
enabled the ones with AES in the name. That seems to be what veracrypt
uses. What are some others that are commonly used that I should
enable? Maybe something other software would run faster with if the
kernel was dealing with it instead of software code.
I don't want to list all the options because there is a LOT of them. I
figure someone already knows the most common ones and can share what
they have. Even a zcat of a running config showing encryption modules
will be fine. Anything that would help me find them.
Thanks much.
Dale
:-) :-)
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] Kernel encryption options and veracrypt
2020-03-25 13:17 [gentoo-user] Kernel encryption options and veracrypt Dale
@ 2020-03-31 8:23 ` Adam Carter
2020-03-31 9:46 ` Dale
0 siblings, 1 reply; 3+ messages in thread
From: Adam Carter @ 2020-03-31 8:23 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1534 bytes --]
On Thu, Mar 26, 2020 at 12:17 AM Dale <rdalek1967@gmail.com> wrote:
> Howdy,
>
> As some know from another thread, I installed and started using
> veracrypt. It has the option to use the kernel encryption tools but
> they are not enabled on my kernel, just the default stuff. I found what
> I think to be the ones veracrypt wants to use but was curious if I
> should enable some others that are commonly used.
>
I've wondered about what uses kernel crypto stuff too.
I assumed userspace stuff would use openssl or similar, but looking at the
ebuild for veracrypt, it doesnt use openssl etc but does want CONFIG_CRYPTO
from the kernel so I guess it just depends on how the software is written.
From the veracrypt-1.24_p4.ebuild;
local CONFIG_CHECK="~BLK_DEV_DM ~CRYPTO ~CRYPTO_XTS ~DM_CRYPT ~FUSE_FS"
But if we look at iwd-1.5.ebuild there's logic like;
if use cpu_flags_x86_ssse3 && use amd64; then
CONFIG_CHECK="${CONFIG_CHECK} ~CRYPTO_SHA1_SSSE3
~CRYPTO_SHA256_SSSE3 ~CRYPTO_SHA512_SSSE3"
WARNING_CRYPTO_SHA1_SSSE3="CRYPTO_SHA1_SSSE3: enable for
increased performance"
WARNING_CRYPTO_SHA256_SSSE3="CRYPTO_SHA256_SSSE3: enable
for increased performance"
WARNING_CRYPTO_SHA512_SSSE3="CRYPTO_SHA512_SSSE3: enable
for increased performance"
So if you assume the veracrypt ebuild authors are as diligent as the iwd
ebuild authors, i'd say there's no advantage in enabling anything more than
~BLK_DEV_DM ~CRYPTO ~CRYPTO_XTS ~DM_CRYPT ~FUSE_FS for veracrypt.
[-- Attachment #2: Type: text/html, Size: 2145 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] Kernel encryption options and veracrypt
2020-03-31 8:23 ` Adam Carter
@ 2020-03-31 9:46 ` Dale
0 siblings, 0 replies; 3+ messages in thread
From: Dale @ 2020-03-31 9:46 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 2130 bytes --]
Adam Carter wrote:
> On Thu, Mar 26, 2020 at 12:17 AM Dale <rdalek1967@gmail.com
> <mailto:rdalek1967@gmail.com>> wrote:
>
> Howdy,
>
> As some know from another thread, I installed and started using
> veracrypt. It has the option to use the kernel encryption tools but
> they are not enabled on my kernel, just the default stuff. I
> found what
> I think to be the ones veracrypt wants to use but was curious if I
> should enable some others that are commonly used.
>
>
> I've wondered about what uses kernel crypto stuff too.
>
> I assumed userspace stuff would use openssl or similar, but looking at
> the ebuild for veracrypt, it doesnt use openssl etc but does want
> CONFIG_CRYPTO from the kernel so I guess it just depends on how the
> software is written.
>
> From the veracrypt-1.24_p4.ebuild;
> local CONFIG_CHECK="~BLK_DEV_DM ~CRYPTO ~CRYPTO_XTS ~DM_CRYPT ~FUSE_FS"
>
> But if we look at iwd-1.5.ebuild there's logic like;
> if use cpu_flags_x86_ssse3 && use amd64; then
> CONFIG_CHECK="${CONFIG_CHECK} ~CRYPTO_SHA1_SSSE3
> ~CRYPTO_SHA256_SSSE3 ~CRYPTO_SHA512_SSSE3"
> WARNING_CRYPTO_SHA1_SSSE3="CRYPTO_SHA1_SSSE3: enable
> for increased performance"
> WARNING_CRYPTO_SHA256_SSSE3="CRYPTO_SHA256_SSSE3:
> enable for increased performance"
> WARNING_CRYPTO_SHA512_SSSE3="CRYPTO_SHA512_SSSE3:
> enable for increased performance"
>
> So if you assume the veracrypt ebuild authors are as diligent as the
> iwd ebuild authors, i'd say there's no advantage in enabling anything
> more than ~BLK_DEV_DM ~CRYPTO ~CRYPTO_XTS ~DM_CRYPT ~FUSE_FS for
> veracrypt.
>
>
I ended up googling and finding what several encryption programs use for
encryption and enabling all of them. It was quite a few but if I decide
later to encrypt my /home, I think I have all that enabled plus what
veracrypt needs as well. I haven't rebooted yet tho. It's on my todo
list. I'll get to see then if I got everything or not. If not, I'll
rinse and repeat.
Thanks for the info.
Dale
:-) :-)
[-- Attachment #2: Type: text/html, Size: 3791 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-03-31 9:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-03-25 13:17 [gentoo-user] Kernel encryption options and veracrypt Dale
2020-03-31 8:23 ` Adam Carter
2020-03-31 9:46 ` Dale
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox