[NCLUG] Encrypted Filesystems?

Bob Proulx bob at proulx.com
Mon Apr 16 09:29:46 MDT 2007


Sean Reifschneider wrote:
> Bob Proulx wrote:
> >moderatly powered laptop and that for the most part it is not
> >noticeable to the user.

Someone else commented offlist that AES 128 bit encryption should be
sufficient for most needs and used less cpu time in the bonnie++
benchmark.  Less cpu means more battery.  So if someone is optimizing
for battery life over performance then using the 128 bits might be a
good tradeoff.  Especially if the alternative is no encryption.

> All of us at tummy.com have been running encrypted home file-systems for
> most of the last year, and I can confirm that it is largely not noticeable
> to the user.  I think in the last 6 months I've even noticed the
> performance overhead probably not even a half dozen times.

That is good to hear.

> For backups, I back run rsyncs from our machines to a storage machine at
> home.  Which stores the backup data on an encrypted file-system.  So, the
> laptops are covered in case of loss, and the backup server is covered in
> case someone takes it from our house.  The home storage server backs up
> periodically at a slow rate to a server at our facility, also on an
> encrypted file-system.

All good ideas.

> I encrypt all of /home, and move some stuff like the locate database,
> Postgres databases, over to /home to keep that data encrypted.  I avoided
> doing /root encrypted because it requires the initrd to be modified to
> include the crypto stuff, which seems like a pain over the long term.

Since I was using the installer and it had built in support for
setting this up all of that pain was hidden from me.  It just worked.

I did verify that I could use a Knoppix live cd to mount the encrypted
filesystem.  It was a little bit of a pain but it worked.  Just as
hints to the group here is my memory of the process.

  cryptsetup luksOpen /dev/hda5 vg0  # Activate the encrypted partition.
  vgchange -a y                      # Activate LVM.
  mount /dev/vg0/root /mnt/hda5
  chroot /mnt/hda5 /bin/bash
  mount /boot

And then things were set up for doing system recovery if needed.
Since that worked I feel more confident in using this configuration.

Thanks for all of the discussion and ideas.
Bob



More information about the NCLUG mailing list