James Gregory ja...@james.id.au writes:
I'm considering using device mapper's crypto support to encrypt the
entirety of my laptop's drive. This is a fairly permanent thing to do,
so I'm seeking some experiences with it to help me decide if it's a
good idea or not.
It works for me, and means that I can do development on my laptop[1]
without needing to worry about the data confidentiality issues that many
of the other staff here face.
I used it a few years back and found that it didn't play nice with
XFS, causing frequent lockups, which wasn't really what I was looking
for.
Well, zero problems on that front: I have this stack, all working
correctly, including suspend to disk[2]:
2 x SATA - MD/RAID10 - dm_crypt - LVM pv - LVM lv(s) - XFS
It also burned a lot of cycles, making stuff like my frequent grepping
through source trees and image processing impractical. Now, the target
machine is much faster (a Thinkpad x61, C2D), but I don't really know
how C2D crypto performance compares to Pentium M, so it'd be good to
hear about that too.
Well, that is going to depend on a whole lot of factors...
I run this on a T61p, 2.6GHz Core2 Duo system with 4GB RAM and, as
noted, 2 7200RPM SATA disks in RAID10/f2 setup, so the system is hardly
short on power.
I still find that it is a bit slow during very large writes, in that it
can buffer quite a lot of writing and then slow down some from the
encryption.
OTOH, that is the only time that I really notice any performance cost;
encryption never uses more than 5 to 8 percent of one 800MHz CPU, and
disk reads are acceptable.
That could just be cache effects, though: with 4GB I seldom put memory
pressure on the machine, so I don't really touch the relatively slow
disk that often during normal work.
I also run 'preload', which observes running software and preloads pages
from disk that are likely to be wanted, helping reduce wait times for
code to load.
I see that the CPU range for the X61 are all fairly acceptable, though,
so I would expect reasonable performance. Certainly, this is a world of
difference from the old Pentium-M machines — that CPU line should have
been shot at birth, rather than inflicting their awful performance on
the rest of us.
(Why, yes, I am slightly bitter having used a P4-M CPU for five years,
about how awful it was, since you ask. ;)
Anyway, from experience having a RAID1, or better RAID10/f2, disk
subsystem is probably the biggest contributor to performance: it turns
the laptop from sluggish to pleasant, in my experience, regardless of
the rest of the stack.
Finally, if I do go ahead with it, what's the easiest way to do it? I
recall Ubuntu having an alternative installer that could do it for me.
Is that the best way to go?
I did that initially, which was reasonable, on a RAID1 and AES-CBC,
which was reasonable.
After about nine months I spent a little while poking deeper into the
issue and ended up moving to the RAID10/f2 layout and XTS encryption;
while the advantages are mostly theoretical in the later case the former
certainly improve I/O responsiveness.
In the later case I took advantage of the use of LVM to split the
mirror, create a degraded array and encrypt it, then pvmove the data
across to the new stack.
Any and all insights appreciated. Please CC me, as I'm not subscribed
to the list.
I strongly advise that you do subscribe, at least while your questions
are answered; certainly, I have little enthusiasm for responding to
off-list questions compared to on-list ones.
Regards,
Daniel
Footnotes:
[1] ...which is pleasant and comfortable.
[2] Technically, right now I don't have the last, but that is because
the PITA graphics card requires non-free drivers. My own damn
fault for compromising on that, I guess.
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
