| View previous topic :: View next topic |
| Author |
Message |
Lawless
l33t
Joined: 03 Nov 2003
Posts: 638
Location: Germany
|
 Posted: Sun Dec 17, 2006 12:08 pm Post subject: New system with ro and crypted filesystem |
 |
|
Risking to end as a dup I still want to try to ask these questions 
I'm currently planning a new installation of gentoo where I distribute the system on several partitions instead of one which I had in the past.
I want to put folders such as /usr /lib /bin... on a read only partition which is only mounted as rw when doing an emerge (I read that there are problems making /etc ro?)
I'm still not sure what to use as filesystem on the read only and on the read write partitions.
As I had a problem once with xfs when the machine crashed at the moment of back writing a file from memory to the disk leading to corruption I though of using xfs on the read only partitions while using ext3 or perhaps 4 on the rw ones...
As I have more then one gentoo box - including a small server doing a sync every night - I will share portage on a separate NFS partition so that I only have to sync once to get an up-to-date portage on all systems...
Home directories should be encrypted - but I don't know which encryption to use.
At the moment all my encryption is realized with truecrypt and AES.
Would this be a good choice for a transparent system encryption of home directories? Is there a better solution (and why is it better)?
Perhaps anyone has comments or improvements on my plan?
Would be happy...
_________________
Kernel panic: I have no root and I want to scream |
|
| Back to top |
|
 |
Sten
Tux's lil' helper
Joined: 12 Dec 2006
Posts: 109
Location: Prague, Czechia, European Union
|
| Posted: Sun Dec 17, 2006 1:46 pm Post subject: Re: New system with ro and crypted filesystem |
|
|
| Lawless wrote: | | I want to put folders such as /usr /lib /bin... on a read only partition which is only mounted as rw when doing an emerge (I read that there are problems making /etc ro?) |
There shouldnât be problems making â/etcâ ro. â/varâ and â/tmpâ should be rw.
| Lawless wrote: | I'm still not sure what to use as filesystem on the read only and on the read write partitions.
As I had a problem once with xfs when the machine crashed at the moment of back writing a file from memory to the disk leading to corruption I though of using xfs on the read only partitions while using ext3 or perhaps 4 on the rw ones... |
Use ext2 in sync mode on ro and tmpfs on rw. Copy content of â/varâ from some other location on machine bootup.
If youâd like to use databases or other stuff requiring â/varâ to be saved on shutdown, use reiserfs. xfs is very good, but requires UPS.
| Lawless wrote: | | As I have more then one gentoo box - including a small server doing a sync every night - I will share portage on a separate NFS partition so that I only have to sync once to get an up-to-date portage on all systems... |
Well, this might be a little tricky because portage is in directories â/usr/portageâ and â/var/lib/portageâ. You can fix this by using symlinks to some other location.
| Lawless wrote: | Home directories should be encrypted - but I don't know which encryption to use.
At the moment all my encryption is realized with truecrypt and AES.
Would this be a good choice for a transparent system encryption of home directories? Is there a better solution (and why is it better)? |
Use LUKS or when using external certificate, dm-crypt. Use any algorithm considered safe (eg. AES or twofish, see Wikipedia for more). Do not use cryptoloop because itâs not safe. You can use safe hibernation if you use encrypted swap.
Youâll get better security by using encryption certificate saved on USB dongle and protected by password. By simply removing the dongle and switching your system off youâll make your system unaccessible.
_________________
You don’t understand, I break things like this!
xor rsi,rsi
lodsb
Segmentation fault |
|
| Back to top |
|
|
Lawless
l33t
Joined: 03 Nov 2003
Posts: 638
Location: Germany
|
| Posted: Sun Dec 17, 2006 3:00 pm Post subject: Re: New system with ro and crypted filesystem |
|
|
| Sten wrote: | Use ext2 in sync mode on ro and tmpfs on rw. Copy content of â/varâ from some other location on machine bootup.
|
Hm, copying the stuff at boot with faster tmpfs access vs. faster boot but slower access from disk... don't think I'll need tmpfs.
| Sten wrote: |
xfs is very good, but requires UPS.
|
That's why I thought using it on read-only would be ok...
Never used reiser before - I wanted to try it out when reiser4 is ready but after that long story about Reiser will this ever be happen?
| Sten wrote: |
Well, this might be a little tricky because portage is in directories â/usr/portageâ and â/var/lib/portageâ. You can fix this by using symlinks to some other location.
|
/var/lib/portage only holds the world and config... nothing to share.
You mean /var/cache/edb?
Would be /var/cache/edb/dep enough to share? And the rest of this folder localy?
| Sten wrote: |
Use LUKS or when using external certificate, dm-crypt. Use any algorithm considered safe (eg. AES or twofish, see Wikipedia for more). Do not use cryptoloop because itâs not safe.
|
dm-crypt with LUKS looks good to me.
_________________
Kernel panic: I have no root and I want to scream |
|
| Back to top |
|
|
Lawless
l33t
Joined: 03 Nov 2003
Posts: 638
Location: Germany
|
| Posted: Sun Dec 17, 2006 3:29 pm Post subject: |
|
|
What impact on performance would have a dm-crypted volume with lvm? This would be two complete abstraction layers between the physical and the logical disk. Will this be still usable? Or lets say fast enough to store profiles of applications (browser cache etc), documents, pictures and so on...
_________________
Kernel panic: I have no root and I want to scream |
|
| Back to top |
|
|
Sten
Tux's lil' helper
Joined: 12 Dec 2006
Posts: 109
Location: Prague, Czechia, European Union
|
| Posted: Sun Dec 17, 2006 5:08 pm Post subject: Re: New system with ro and crypted filesystem |
|
|
| Lawess wrote: | | That's why I thought using it on read-only would be ok... |
You can use xfs on read-only but it will require more overhead with little performance increase. But I donât have exact numbers so I canât tell exactly.
| Lawess wrote: | | Never used reiser before - I wanted to try it out when reiser4 is ready but after that long story about Reiser will this ever be happen? |
reiserfs is ready long time and I must admit, itâs stable even in the case of power failure (which I cannot say about xfs or jfs). Reiser4 comes with new things but is not considered stable (as ext4).
| Lawess wrote: | /var/lib/portage only holds the world and config... nothing to share.
You mean /var/cache/edb?
Would be /var/cache/edb/dep enough to share? And the rest of this folder localy? |
Yes, I mean â/var/cache/edbâ. I think the whole folder must be consistent but this should make no extra harm.
| Lawless wrote: | | What impact on performance would have a dm-crypted volume with lvm? This would be two complete abstraction layers between the physical and the logical disk. Will this be still usable? Or lets say fast enough to store profiles of applications (browser cache etc), documents, pictures and so on... |
I donât have exact numbers, but as I remember on Pentium M 1500 MHz it got about 5 MBps (40 Mbps).
For caches itâs better to use tmpfs and symlinks (itâs very easy when using KDE because all caches are stored in â/tmpâ and â/var/tmpâ).
It has little issues with journal however and I found that itâs not power-failure-proof as running on unencrypted storage, but it always recovered almost everything (it was way better than unencrypted xfs).
_________________
You don’t understand, I break things like this!
xor rsi,rsi
lodsb
Segmentation fault |
|
| Back to top |
|
|
|
Other Things Gentoo
