On Wed, Apr 08, 2009 at 11:26:20AM -0400, H.S. wrote: > Douglas A. Tutty wrote: > > On Tue, Apr 07, 2009 at 06:17:56PM -0400, H.S. wrote: > >> Douglas A. Tutty wrote: > >>> On Tue, Apr 07, 2009 at 05:46:31PM -0400, H.S. wrote: > >>>> Douglas A. Tutty wrote: > > $ cat /proc/swaps: > > Filename Type Size Used Priority > > /dev/mapper/sda2_crypt partition 979956 0 -1 > > > > $ mount | grep -i /tmp > > /dev/mapper/sdb1_crypt on /var/tmp type ext3 (rw,data=journal) > > tmpfs on /tmp type tmpfs (rw,size=500m) > > There are a limited number of place where a piece of software can leak > > info: > > > > 1. to /tmp: Its encrypted > > 2. to /var/tmp: Its encrypted > > 3. to somewhere on ~/ I have /home encrypted > > 4. left in swap its encrypted > > 5. in a core dump after a crash: use ulimit (see man bash) to > > limit core dump size to 0 > > > > Of course, the uncrypted data is in memory, so anything that can read > > any memory segment can read your data. > I am curious, what is the performance cost to have your ~/ and /tmp and > /swap encrypted? What kind of machine are you using?
I see no performance cost and I've done this on a PII-233 on old IDE disks and now on a PII-450 with two SCSI disks. Think of it this way: Data has to go out to disk. That takes a lot of time compared to moving data in the memory. It doesn't take that much time to start the encryption process (which can continue while the data is streaming to the disk). I'm sure its more complex than this, but that's the idea. If I want to have the fastest streaming possible, I'll have a non-encrypted partition in a convenient spot, say /var/local/cache but I've found that I haven't had a problem without it. I suppose it may be important if you're doing streaming video or something, but you'd want a separate raid array for that anyway. > Also, since you have to use mount, which requires root privileges, the > above method is not possible for a normal (non-root) user, is it? These partitions are all mounted on boot. I set up the encrypted partitions during the install (Etch). Here's fstab: # /etc/fstab: static file system information. # # <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc defaults 0 0 #/dev/sda1 / ext3 defaults,data=journal,errors=remount-ro 0 1 LABEL=root / ext3 defaults,data=journal,errors=remount-ro 0 1 /dev/mapper/sdb2_crypt /home ext3 defaults,data=journal 0 2 #/dev/sda3 /usr ext3 defaults,data=journal 0 2 LABEL=usr /usr ext3 defaults,data=journal 0 2 #/dev/sda5 /var ext3 defaults,data=journal 0 2 LABEL=var /var ext3 defaults,data=journal 0 2 /dev/mapper/sda6_crypt /var/local ext3 defaults,data=journal 0 2 /dev/mapper/sdb1_crypt /var/tmp ext3 defaults,data=journal 0 2 /dev/mapper/sda2_crypt none swap sw 0 0 tmpfs /tmp tmpfs size=500m 0 0 /dev/hda /media/cdrom0 udf,iso9660 user,noauto 0 0 /dev/fd0 /media/floppy0 auto rw,user,noauto 0 0 Thus, its totally transparent to the normal user. I have to enter the pass phrases at boot; I've been too lazy to set it up to only require one, so I have to do it three times (one for each encrypted partition) (swap doesn't need a passphrase). LUKS is flexible enough that you could use a USB key if you like. Doug. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
