Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
To encrypt or not to encrypt?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
FizzyWidget
Veteran
Veteran


Joined: 21 Nov 2008
Posts: 1133
Location: 127.0.0.1

PostPosted: Thu Jan 19, 2012 8:51 pm    Post subject: To encrypt or not to encrypt? Reply with quote

Who here encrypts their /home and storage drives? is it really worth encrypting a home system or is it only for the paranoid people? are there any performance hits in doing so?
_________________
I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch.
Back to top
View user's profile Send private message
Veldrin
Veteran
Veteran


Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland

PostPosted: Thu Jan 19, 2012 9:04 pm    Post subject: Reply with quote

I did encrypt only home in the past using ecryptfs.
Nowadays I encrypt the entire system (excluding boot), using dmcrypt/luks.

ecryptfs sounds simple at a first glace, but i gets rather troublesome if you have to recover you home data from a 2nd OS (Linux LiveCD et all).

IMO the big advantage of having your disks encrypted, I make is much simpler (and less work involved) to render any data unusable. I am mainly concerned about leftover data once I decommission a harddrive/ssd. Only thing you need to destroy is the partition header, and the data is next to not recoverable. (on an unencrypted device you would need to completely overwrite it at least once, preferably with random data, which is next to impossible on a SSD)

I did my first experiments on pentium-m system, and there IMO the performance hit was noticeable (at least it was visible in gkrellm). Nowadays, on multicore systems (core2duo and upwards) the performance hit is less noticeable, I would even say negligible.


If you start encrypting data, make sure, that your swap is also encrypted, as some data might be leaked from the ram to swap, where it readable.


just my .02$
V.

One sidenote: yes, I am aware that some SSD encrypt data themselves, but I just do not only want to trust the hardware manufactures.
_________________
read the portage output!
If my answer is too concise, ask for an explanation.
Back to top
View user's profile Send private message
FizzyWidget
Veteran
Veteran


Joined: 21 Nov 2008
Posts: 1133
Location: 127.0.0.1

PostPosted: Thu Jan 19, 2012 9:07 pm    Post subject: Reply with quote

would you happen to have a fool proof easy to follow n00b guide you could link me to so i could do this? I have just re-installed my storage box, but if needs be i can 3 pass wipe it and encrypt it, then rebuild it, i have all the conf files saved :)

Thanks
_________________
I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch.
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2971
Location: Germany

PostPosted: Thu Jan 19, 2012 9:10 pm    Post subject: Re: To encrypt or not to encrypt? Reply with quote

Dark Foo wrote:
Who here encrypts their /home and storage drives?


I encrypt everything.

Dark Foo wrote:
Is it really worth encrypting a home system or is it only for the paranoid people?


It's probably useless against police (if they just lock you up until you give the password), but I'm looking for simpler things, such as not wanting computer-savvy members of my family going through my stuff.

Dark Foo wrote:
are there any performance hits in doing so?


Yes, naturally, although only noticable when there's actually hard disk access going on and if you're actually giving your CPU something to do even without encryption. On a modern machine the encryption is accelerated (AES-NI) that helps a great deal.


You either need encryption or you don't - if you don't need it, don't use it, if you need it, performance doesn't matter.
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2971
Location: Germany

PostPosted: Thu Jan 19, 2012 9:15 pm    Post subject: Reply with quote

Dark Foo wrote:
3 pass wipe


Maybe these will help?

http://en.gentoo-wiki.com/wiki/Secure_deletion

http://en.gentoo-wiki.com/wiki/Booting_encrypted_system_from_USB_stick

http://en.gentoo-wiki.com/wiki/Initramfs
Back to top
View user's profile Send private message
Veldrin
Veteran
Veteran


Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland

PostPosted: Thu Jan 19, 2012 11:09 pm    Post subject: Reply with quote

I use that guide: http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS

Good part is, that genkernel (or more precisely the initramfs it builds) is capable of starting a luks encrypted root.
though there are some issue with newer version of cryptsetup if you want use gpg encrypted keys.

V.
_________________
read the portage output!
If my answer is too concise, ask for an explanation.
Back to top
View user's profile Send private message
FizzyWidget
Veteran
Veteran


Joined: 21 Nov 2008
Posts: 1133
Location: 127.0.0.1

PostPosted: Fri Jan 20, 2012 8:19 am    Post subject: Reply with quote

seems complicated going by that guide, i may have to read it quite a few times first
_________________
I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch.
Back to top
View user's profile Send private message
Goverp
l33t
l33t


Joined: 07 Mar 2007
Posts: 907

PostPosted: Fri Jan 20, 2012 9:20 am    Post subject: Reply with quote

Whole-disk encryption is good, but remember that processes running inside the system see the file system in clear. Encryption is no defence against hacking over the network. You still need firewalls and antivirus and normal security within the system. Also, important data such as password wallets and financial info still need to be encrypted when the system is running, so that's double-encryption.

Don't forget to take encrypted backups, as otherwise the thief who steals your PC and backups doesn't need the PC. And if your backups are encrypted, remember to test recovery regularly. There's nothing so depressing as forgetting the password when your hard drive's toast.

IMHO you could consider leaving /usr, /bin /opt and /sbin unencrypted, but you need to encrypt /home, /var and /etc. You might set up another unencrypted file system for large public files that would otherwise be in /home - such as music, photographs and video. /etc is a nuisance; with it encrypted, AFAIK you need an initramfs to decrypt it before you can boot.
_________________
Greybeard
Back to top
View user's profile Send private message
FizzyWidget
Veteran
Veteran


Joined: 21 Nov 2008
Posts: 1133
Location: 127.0.0.1

PostPosted: Fri Jan 20, 2012 11:18 am    Post subject: Reply with quote

to be honest all i want it to protect my documents and personal pictures, will mainly be me that uses all the pcs, and im guessing your run of the mill burglar isnt going to be savy enough or have the equipment to unencrypt the drives, or even if he knows someone who could and they try using data recovery its all mainly geared towards windows filesystems.

I have an iptables script which blocks everything, and a router that also blocks everything, so i only need to concern myself with places i visit.

Think i need to think on this a bit more :)
_________________
I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum