On Tue, Mar 13, 2012 at 12:11 PM, Florian Philipp <li...@binarywings.net> wrote: > Am 13.03.2012 12:55, schrieb Valmor de Almeida: >> On 03/11/2012 02:29 PM, Florian Philipp wrote: >>> Am 11.03.2012 16:38, schrieb Valmor de Almeida: >>>> >>>> Hello, >>>> >>>> I have not looked at encryption before and find myself in a situation >>>> that I have to encrypt my hard drive. I keep /, /boot, and swap outside >>>> LVM, everything else is under LVM. I think all I need to do is to >>>> encrypt /home which is under LVM. I use reiserfs. >>>> >>>> I would appreciate suggestion and pointers on what it is practical and >>>> simple in order to accomplish this task with a minimum of downtime. >>>> >>>> Thanks, >>>> >>>> -- >>>> Valmor >>>> >>> >>> >>> Is it acceptable for you to have a commandline prompt for the password >>> when booting? In that case you can use LUKS with the /etc/init.d/dmcrypt >> >> I think so. >> >>> init script. /etc/conf.d/dmcrypt should contain some examples. As you >>> want to encrypt an LVM volume, the lvm init script needs to be started >>> before this. As I see it, there is no strict dependency between those >>> two scripts. You can add this by adding this line to /etc/rc.conf: >>> rc_dmcrypt_after="lvm" >>> >>> For creating a LUKS-encrypted volume, look at >>> http://en.gentoo-wiki.com/wiki/DM-Crypt >> >> Currently looking at this. >> >>> >>> You won't need most of what is written there; just section 9, >>> "Administering LUKS" and the kernel config in section 2, "Assumptions". >>> >>> Concerning downtime, I'm not aware of any solution that avoids copying >>> the data over to the new volume. If downtime is absolutely critical, ask >>> and we can work something out that minimizes the time. >>> >>> Regards, >>> Florian Philipp >>> >> >> Since I am planning to encrypt only home/ under LVM control, what kind >> of overhead should I expect? >> >> Thanks, >> > > What do you mean with overhead? CPU utilization? In that case the > overhead is minimal, especially when you run a 64-bit kernel with the > optimized AES kernel module.
Rough guess: Latency. With encryption, you can't DMA disk data directly into a process's address space, because you need the decrypt hop. Try running bonnie++ on encrypted vs non-encrypted volumes. (Or not; I doubt you have the time and materials to do a good, meaningful set of time trials) -- :wq
