Am 13.03.2012 17:26, schrieb Michael Mol: > On Tue, Mar 13, 2012 at 12:11 PM, Florian Philipp <li...@binarywings.net> > wrote: >> Am 13.03.2012 12:55, schrieb Valmor de Almeida: >>> On 03/11/2012 02:29 PM, Florian Philipp wrote: >>>> Am 11.03.2012 16:38, schrieb Valmor de Almeida: >>>>> >>>>> Hello, >>>>> >>>>> I have not looked at encryption before and find myself in a situation >>>>> that I have to encrypt my hard drive. I keep /, /boot, and swap outside >>>>> LVM, everything else is under LVM. I think all I need to do is to >>>>> encrypt /home which is under LVM. I use reiserfs. >>>>> >>>>> I would appreciate suggestion and pointers on what it is practical and >>>>> simple in order to accomplish this task with a minimum of downtime. >>>>> >>>>> Thanks, >>>>> >>>>> -- >>>>> Valmor >>>>> >>>> >>>> >>>> Is it acceptable for you to have a commandline prompt for the password >>>> when booting? In that case you can use LUKS with the /etc/init.d/dmcrypt >>> >>> I think so. >>> >>>> init script. /etc/conf.d/dmcrypt should contain some examples. As you >>>> want to encrypt an LVM volume, the lvm init script needs to be started >>>> before this. As I see it, there is no strict dependency between those >>>> two scripts. You can add this by adding this line to /etc/rc.conf: >>>> rc_dmcrypt_after="lvm" >>>> >>>> For creating a LUKS-encrypted volume, look at >>>> http://en.gentoo-wiki.com/wiki/DM-Crypt >>> >>> Currently looking at this. >>> >>>> >>>> You won't need most of what is written there; just section 9, >>>> "Administering LUKS" and the kernel config in section 2, "Assumptions". >>>> >>>> Concerning downtime, I'm not aware of any solution that avoids copying >>>> the data over to the new volume. If downtime is absolutely critical, ask >>>> and we can work something out that minimizes the time. >>>> >>>> Regards, >>>> Florian Philipp >>>> >>> >>> Since I am planning to encrypt only home/ under LVM control, what kind >>> of overhead should I expect? >>> >>> Thanks, >>> >> >> What do you mean with overhead? CPU utilization? In that case the >> overhead is minimal, especially when you run a 64-bit kernel with the >> optimized AES kernel module. > > Rough guess: Latency. With encryption, you can't DMA disk data > directly into a process's address space, because you need the decrypt > hop. >
Good call. Wouldn't have thought of that. > Try running bonnie++ on encrypted vs non-encrypted volumes. (Or not; I > doubt you have the time and materials to do a good, meaningful set of > time trials) > Yeah, that sounds like something for which you need a very dull winter day. Besides, I've already lost a poorly cooled HDD on a benchmark. Regards, Florian Philipp
signature.asc
Description: OpenPGP digital signature