[Novalug] Opinions on whole Disk encryption (for Linux)

Joel Fouse joel at fouse.net
Fri Feb 1 12:14:52 EST 2008 

David,

Given that you've already increased your cpu/memory, you shouldn't see
any performace hit at all.  There are several options for achieving
whole disk encryption, and various proponents of each.  You need to
decide what exactly you're trying to accomplish, and what's available to
meet that need.

First of all you'll need to decide just what you mean by "whole-disk" --
do you really mean the whole thing, or just the important parts?  For
example, I use loop-AES.  On one system I have three main partitions
(plus swap): one for /boot, one for the root (/), and one for holding
encrypted stuff (/efs, because I'm creative like that).  Things
like /home, /root, /etc and so on are symlinks to folders under /efs, so
effectively /efs holds "personal" and "sensitive" stuff, whatever that
happens to be.  Also, for better or worse, things like /bin and /usr are
NOT encrypted, nor is /boot.

The ability to deal with the encryption is something the kernel has to
know.  Whatever loads the kernel won't have a clue.  Thus, your /boot
partiiton itself has to be unencrypted.  This either means having an
unencrypted partition on your drive, or booting off a USB key or some
such.

If everything except /boot is encrypted (safer than the setup I
mentioned above, and probably how I'll go on my next build-out), /boot
must contain unencrypted copies of a few utilities (like gpg) that the
kernel needs in order to mount the encrypted areas, at least w/ loop-AES
(not sure about other solutions).

dm-crypt/LUKS is another popular solution out there, popular mostly
because (I've heard) it's included in the mainline kernel and is easier
to set up and maintain than loop-AES, but occasionally you'll come
across some boundary case "threat" that loop-AES protects against that
dm-crypt/LUKS doesn't.  I started w/ loop-AES before dm-crypt/LUKS grew
up to provide viable protection, and I've stuck with it because I
already have my head wrapped around it.  It's not difficult, but it's a
command-line setup while reading a big README file rather than a pretty
point-and-click.  Then again, I run Gentoo so maybe it just fits my
mindset. ;)

Either solution is perfectly free and probably perfectly sufficient for
your needs, so no fear of paying anything besides your time.  If you
have further questions about loop-AES I'd be happy to help;
unfortunately what I knew about dm-crypt/LUKS from research leaked away
long ago...

- Joel


On Fri, 2008-02-01 at 11:45 -0500, David A.Cafaro wrote:

> Ok, I wanted to solicit any experience/opinions on whole disk  
> encryption.
> 
> I will be implementing some form of whole disk encryption on a new  
> server being setup.  I've already double the hardware (cpu/memory) to  
> help deal with the extra load that will be generated.
> 
> The idea is that on boot the system will start the encryption/ 
> decryption process.  When shutdown, the server will stop the  
> process.   This way if for some reason the server is stolen (or a HD  
> fails and must be sent off for repairs/replacement) there is no fear  
> of the data being exposed.
> 
> I've started looking at loop-AES, but was curious if anyone else has  
> any experience with other solutions or this solution.
> 
> OpenSource/Free is preferred, and something that doesn't involve  
> messing with the kernel besides loading modules is required.  Ideally  
> it would be built in to my distribution already and just require  
> setup/tweaking.  The OS will be RHEL5.
> 
> Thanks,
> David
> 
> 
> 
> David A. Cafaro <dac at cafaro.net>
> Cafaro's Ramblings:  www.cafaro.net
> 
> 
> 
> _______________________________________________
> Novalug mailing list
> Novalug at calypso.tux.org
> http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://calypso.tux.org/pipermail/novalug/attachments/20080201/1877e814/attachment.html

More information about the Novalug mailing list