On Tue, 29 Nov 2011 00:23:10 -0700 Aaron Toponce <aaron.topo...@gmail.com> wrote:
> Because this is a subject near and dear to my heart, I feel the urge to > chime in. > > On Sat, Nov 26, 2011 at 10:45:29AM +0530, J. Bakshi wrote: > > I am always interested in Full disk encryption for my laptop ( i5 + 3 GB ), > > but what makes me stop > > is the thinking of performance lag. Recently I have seen an ububtu laptop ( > > i5 + 4 GB ) with full > > disk encryption and it is performing normal, haven't found any lag... > > I have done extensive benchmarking, and have found that you will have > different performance results, based on the cipher and key size that you > choose. ECB (electronic code block) out performs the other block ciphers, > but it suffers from a pattern attack [1]. As a result, when using a LUKS > formatted partition/volume with cryptsetup(8), I usually do the following: > > # dd if=/dev/urandom of=/path/to/device bs=4096 > # cryptsetup luksFormat -c aes -s 128 /path/to/device > > The first step, obviously, it to fill the entire device with pseudorandom > data, so it is not clear where the encrypted filesystem starts and ends. > Then, I create the encrypted filesystem in the second step. Those options > have given me the best performance, with ~1-2% hit on reads, and ~5% hit on > writes. > > 1. http://ae7.st/s/i.pr > > > So I am interested to give the FUD a try on my own laptop. How can I > > proceed ? My laptop is debian wheezy > > with lots of important data.. so backup is must.. but what next ? What > > configuration will give me a better > > performance , LVM based or simple partition based ? Presently excluding > > swap I have 3 reiserfs partition for / ; /home > > and /movie ... no LVM. Like to hear some feedback from you guys.. > > LVM will add some additional overhead, but nothing more than ~2% hit for > writes. Usually, I'll setup my filesystem as follows: > > # dd if=/dev/urandom of=/path/to/device bs=4096 > # cryptsetup luksFormat -c aes -s 128 /path/to/device > # cryptsetup luksOpen /path/to/device crypt-device > # pvcreate /dev/mapper/crypt-device > # vgcreate data /dev/mapper/crypt-device > # lvcreate -l 100%FREE -n crypt-volume data > # mkfs.ext4 /dev/mapper/crypt-volume > # mount /dev/mapper/crypt-volume /mnt > > At which point I can start copying data. If the device has already been > filled with pseudorandom or encrypted data, then there is no point in > running the dd(1) step. > > Hope that helps. > Thanks for sharing -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111129130657.037ab...@shiva.selfip.org
