Jochen Schulz wrote: > Jochen Schulz: > >> Tigran Varosyan: >> >>> I have read the Linux has software available that can encrypt the OS and the >>> file system to a degree that even with physical access to the HD, the data >>> cannot be extracted. I was told that this slows the systems down quite a bit >>> but that is it very functional. This sounds like interesting technology and >>> I would like to experiment with it. >> I didn't try it myself, but I think the most popular solution is >> dmcrypt, which allows you to encrypt everything, even your root and swap >> partition. > To be precise, the package you are probably looking for is cryptsetup, > which is a set of scripts which make it easy to set up dm-crypt.
My home desktop system has almost all encrypted filesystems (/, /home, swap, and an external usb drive); the only unencrypted partition is a small /boot partition containing the kernels and initial ramdisks needed to boot the system. I used the cryptsetup package to configure the encrypted disks, mostly following the directions in /usr/share/doc/cryptsetup/CryptoRoot.HowTo. I would not recommend this procedure to someone without at least a year or two of experience administering Debian systems. Additionally, I would suggest becoming familiar with dm-crypt itself, and with the general ideas behind encrypted block devices before proceeding. As for the speed... in all cases, I am using twofish with a 256-bit key, via the dm-crypt system. The slowdown is definitely measurable, but it is not as large as one might expect: > debian:/home/cmr# hdparm -t /dev/hde1 > > /dev/hde1: > Timing buffered disk reads: 174 MB in 3.01 seconds = 57.76 MB/sec > > debian:/home/cmr# hdparm -t /dev/mapper/home > > /dev/mapper/home: > Timing buffered disk reads: 110 MB in 3.06 seconds = 35.91 MB/sec (On my system, /dev/hde is a two-disk hardware RAID 1 of ATA disks (not SATA)) This is something you would probably want to do as part of the initial installation of the system. Because the howto included with cryptsetup is based on installing the base system and then copying it to another partition, you'll need to think carefully about your partitioning. My solution was to set aside a partition that I would later use as swap, and install that as the root filesystem. Then, once I had configured all the encrypted devices and copied the root filesystem over, I wiped the old (unencrypted) root filesystem and designated it as a swap partition. In my experience, yaird worked best for generating the initial ramdisks, and linux-image-2.6.13-1-k8-amd64 was the first Debian kernel that I got working with this setup. It's worked fine for me up through 2.6.16. Another thing to consider carefully is your recovery environment. A lot of folks were hit by a bug in a particular version of yaird that generated kernels that would not boot for many systems; make sure you have a liveCD that will support dm-crypt, any ciphers you choose, and is capable of executing your installed binaries inside a chroot (so you can regenerate the initrd's when they break). It's annoying enough to have to recover a system from a LiveCD; you don't want to be tearing your hair out over encryption at the same time :-) Hope this helps -- best of luck. cmr -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
