[Novalug] Opinions on whole Disk encryption (for Linux)

David A. Cafaro dac at cafaro.net
Mon Feb 4 14:35:59 EST 2008 

Thanks for the information.  I've started looking into dm-crypt as it  
seems to be mature now and it's now part of the main kernel (as of  
2.6.4+).

I plan on doing a write-up of what I implement to share, should be  
interesting.

Cheers,
David

On Feb 1, 2008, at 12:14 PM, Joel Fouse wrote:

> David,
>
> Given that you've already increased your cpu/memory, you shouldn't  
> see any performace hit at all.  There are several options for  
> achieving whole disk encryption, and various proponents of each.   
> You need to decide what exactly you're trying to accomplish, and  
> what's available to meet that need.
>
> First of all you'll need to decide just what you mean by "whole- 
> disk" -- do you really mean the whole thing, or just the important  
> parts?  For example, I use loop-AES.  On one system I have three  
> main partitions (plus swap): one for /boot, one for the root (/),  
> and one for holding encrypted stuff (/efs, because I'm creative  
> like that).  Things like /home, /root, /etc and so on are symlinks  
> to folders under /efs, so effectively /efs holds "personal" and  
> "sensitive" stuff, whatever that happens to be.  Also, for better  
> or worse, things like /bin and /usr are NOT encrypted, nor is /boot.
>
> The ability to deal with the encryption is something the kernel has  
> to know.  Whatever loads the kernel won't have a clue.  Thus, your / 
> boot partiiton itself has to be unencrypted.  This either means  
> having an unencrypted partition on your drive, or booting off a USB  
> key or some such.
>
> If everything except /boot is encrypted (safer than the setup I  
> mentioned above, and probably how I'll go on my next build-out), / 
> boot must contain unencrypted copies of a few utilities (like gpg)  
> that the kernel needs in order to mount the encrypted areas, at  
> least w/ loop-AES (not sure about other solutions).
>
> dm-crypt/LUKS is another popular solution out there, popular mostly  
> because (I've heard) it's included in the mainline kernel and is  
> easier to set up and maintain than loop-AES, but occasionally  
> you'll come across some boundary case "threat" that loop-AES  
> protects against that dm-crypt/LUKS doesn't.  I started w/ loop-AES  
> before dm-crypt/LUKS grew up to provide viable protection, and I've  
> stuck with it because I already have my head wrapped around it.   
> It's not difficult, but it's a command-line setup while reading a  
> big README file rather than a pretty point-and-click.  Then again,  
> I run Gentoo so maybe it just fits my mindset. ;)
>
> Either solution is perfectly free and probably perfectly sufficient  
> for your needs, so no fear of paying anything besides your time.   
> If you have further questions about loop-AES I'd be happy to help;  
> unfortunately what I knew about dm-crypt/LUKS from research leaked  
> away long ago...
>
> - Joel
>
>
> On Fri, 2008-02-01 at 11:45 -0500, David A.Cafaro wrote:
>>
>> Ok, I wanted to solicit any experience/opinions on whole disk  
>> encryption. I will be implementing some form of whole disk  
>> encryption on a new server being setup. I've already double the  
>> hardware (cpu/memory) to help deal with the extra load that will  
>> be generated. The idea is that on boot the system will start the  
>> encryption/ decryption process. When shutdown, the server will  
>> stop the process. This way if for some reason the server is stolen  
>> (or a HD fails and must be sent off for repairs/replacement) there  
>> is no fear of the data being exposed. I've started looking at loop- 
>> AES, but was curious if anyone else has any experience with other  
>> solutions or this solution. OpenSource/Free is preferred, and  
>> something that doesn't involve messing with the kernel besides  
>> loading modules is required. Ideally it would be built in to my  
>> distribution already and just require setup/tweaking. The OS will  
>> be RHEL5. Thanks, David David A. Cafaro <dac at cafaro.net> Cafaro's  
>> Ramblings: www.cafaro.net  
>> _______________________________________________ Novalug mailing  
>> list Novalug at calypso.tux.org http://calypso.tux.org/cgi-bin/ 
>> mailman/listinfo/novalug

David A. Cafaro <dac at cafaro.net>
Cafaro's Ramblings:  www.cafaro.net

More information about the Novalug mailing list