Hi David, Thanks for your reply.
On 28/06/2021 21:36, David Christensen wrote:
Software encryption (dm-crypt, Linux Unified Key System (LUKS), etc.) for a system drive is typically applied to the swap, root, and/or data partitions, but the master boot record (partition table and boot loader), extensible firmware interface (EFI) system partition contents, and boot partition contents are plaintext and easily modified by an attacker with physical access. You will want a CPU with AES-NI or equivalent to accelerate encryption/ decryption (should get 90%+ performance). Without AES-NI, performance will be fractional.
Thanks. I will check out AES-NI on this CPU.
The simplest way to protect a drive at rest (e.g. powered off) is to get a self-encrypting drive (SED). The motherboard firmware prompts for the passphrase after the power on self test (POST) and before reading the drive. Once the SED passphrase is entered, the entire drive appears as plaintext. Encryption/ decryption is handled by hardware inside the drive controller, at full performance.
I don't trust SED, after listening to Steve Gibson analysis on state of this feature. Audio podcast: http://media.GRC.com/sn/SN-689.mp3 Transcript: https://www.grc.com/sn/sn-689.pdf His findings were sourced, among other things, on work of security researchers at the Radboud University in the Netherlands, titled: "Self-Encrypting Deception: Weaknesses in the encryption of solid- state drives." https://ieeexplore.ieee.org/abstract/document/8835339
I do not set the 'discard' (trim) option in fstab(5). If and when I want to erase unused blocks (such as before taking an image), I use fstrim(8).
Yes, I use fstrim on weekly basis via crontab on all my SSD based computers. I don't use discard option in fstab. Will fstrim work with Debian-encrypted /home partition? fstrim will show trimmed gigabytes, just like on normal system? If yes then that's in, my enquiry is solved.
I would not worry about wearing out a good SSD in a daily driver laptop. I have been using Intel SSD 520 Series 2.5" SATA in my SOHO laptops, desktops, and servers for many years; they all work and have available lifespans in the high 90%'s.
I prefer to preserve SSD life if I can. And with this problem, it's a matter of proper configuring it ONCE during install, and then reap the benefits for years to come. I don't want to throw away free performance and longevity boost.
Along with SED, I suggest that you also implement Secure Boot. This provides cryptographic signatures and chain of trust for critical files, such as boot loaders and the kernel, whenever those files are to be executed (e.g. boot, dynamic loading, etc.).
Thanks, I plan to use that. I already use it on my desktop. -- With kindest regards, piorunz. ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org ⠈⠳⣄⠀⠀⠀⠀
