On Wed, Dec 12, 2012 at 09:16:58AM +0100, Florian Philipp wrote: > >>> * The last thing I’m going to set up is filesystem encryption, at least > >>> for ~. > >>> I already know/think that AES would be the best choice due to limited > >>> CPU > >>> power, but what else is there to heed besides key size? > >> > >> Nothing, you're good. Hash and key chaining method have negligible > >> impact. If you stick with an x86_32 userspace I suggest at least using > >> an x64 kernel so you can use of CRYPTO_AES_X86_64. > > > > That's an interesting idea. > >> [...] > > I haven't done any comparisons of 32/64 crypto yet, I'm just reading > > docs on Luks (never used it before).
Well now, I did a few comparisons yesterday. Not much---just permutated a few of the most probable crypto combinations (aes/twofish, cbc/xts, essiv/plain). I created the LUKS container, opened it and gave it a spin with hdparm -t. The result was shocking and outrageous; reported throughput w/o encryption was 75 MB/s, which is your typical 5400 rev laptop HDD. First I was disappointed when I saw what aes-cbc-essiv gave me on 32 bit: a mere 19 and a bit. But on 64 bit, it yielded a whopping 34 MB/s. I had a hunch and booted the 32 bit system with the 64 bit kernel---and throughput stayed high as expected. So for the sake of simplicity (and to give it a rest after two weeks of ricing to the day), I will use the 32 bit userland with a 64 bit kernel. I will only need to set up some magic (a multilib crossdev gcc and separate build dirs) so I can build both kernels with their separate configs from the same source dir. > I personally see no reason for encrypting root as there is nothing of > interest in there. Hm ideed, the only password I have in a plaintext config file are WiFi passwords vor wpa and vpnc. For those the symlink solution could be used. Not needing an initrd is a big incentive. :) > > On a sidenote, While I was cleaning up unread mails in the ML, I just > > found your interesting frontswap/zcache trick. I tried that, too, but for now will keep it disabled---simple copying of big files was slowed down to 33 MB/s, obviously b/c the cache is constantly being changed. It's just not suitable for little Atoms. -- Gruß | Greetings | Qapla’ Please do not share anything from, with or about me with any Facebook service. The duration of a minute is relative. It depends on the side of the toilet door you are standing on.
signature.asc
Description: Digital signature