I'm moving over to Linux when the new SSD arrives. SSD gives increased performance, so I thought that I could encrypt everything.
But then I came to think about TRIM, and garbage collection on the drive. Will a LUKS encrypted drive affect the garbage collection system? (TRIM).
Is LUKS the best data/system encryption? Or is there one that is even better and stronger?
View 1 Replies View RelatedI'm trying to install a luks enabled grub for full system encryption. What modules are required by grub to load a normal ubuntu linux system and what is the type to use?
View 2 Replies View RelatedI have set up a Linux software RAID5 on three hard drives and want to encrypt it with cryptsetup/LUKS. My tests showed that the encryption leads to a massive performance decrease that I cannot explain. The RAID5 is able to write 187 MB/s [1] without encryption. With encryption on top of it, write speed is down to about 40 MB/s.
The RAID has a chunk size of 512K and a write intent bitmap. I used -c aes-xts-plain -s 512 --align-payload=2048 as the parameters for cryptsetup luksFormat, so the payload should be aligned to 2048 blocks of 512 bytes (i.e., 1MB). cryptsetup luksDump shows a payload offset of 4096. So I think the alignment is correct and fits to the RAID chunk size.
The CPU is not the bottleneck, as it has hardware support for AES (aesni_intel). If I write on another drive (an SSD with LVM) that is also encrypted, I do have a write speed of 150 MB/s. top shows that the CPU usage is indeed very low, only the RAID5 xor takes 14%.
I also tried putting a filesystem (ext4) directly on the unencrypted RAID so see if the layering is problem. The filesystem decreases the performance a little bit as expected, but by far not that much (write speed varying, but > 100 MB/s).
Summary:
Disks + RAID5: good
Disks + RAID5 + ext4: good
Disks + RAID5 + encryption: bad
SSD + encryption + LVM + ext4: good
The read performance is not affected by the encryption, it is 207 MB/s without and 205 MB/s with encryption (also showing that CPU power is not the problem). What can I do to improve the write performance of the encrypted RAID?
[1] All speed measurements were done with several runs of dd if=/dev/zero of=DEV bs=100M count=100 (i.e., writing 10G in blocks of 100M).
Edit: If this helps: I'm using Ubuntu 11.04 64bit with Linux 2.6.38. Edit2: The performance stays approximately the same if I pass a block size of 4KB, 1MB or 10MB to dd.
first i make one partiton ten format it add mount point and fire luksopen command and create secert file and enter this in crypttab but when i rebbot it showes scert file not found and partion remain unlocked
View 1 Replies View Related1.) I am wondering how to enable the lock to an encrypted partition which has been unlocked, using luks? On boot, I am been asked automatically for the pass phrase to unlock my partitions. After doing a back up, I want lock the encrypted partition again, but I don't know the command?! I umounted the partition but after mounting it again, I was not asked for the pass phrase but had access to my data.
2.) How secure is the default fedora version of luks? Is truecrypt better?
I've got some old drives using pre-LUKS loopback encryption, and I'm having problems mounting them on OpenSUSE 11.3. What I expected to work, based on past experiences with other distributions, is something along the lines of:
mount -t ext3 /dev/sdc11 tmp -o loop=/dev/loop1,encryption=AES256. When I try this I'm asked for the password, but then get the message "ioctl: LOOP_SET_STATUS: Invalid argument". Anyone have a clue what could be going wrong, or how I can best access these drives from OpenSUSE?
When 10.04 is released I'll encrypt my /home partition using luks. I've read that xts is good for hard drive encryption and aes is good for cipher encryption. I'm looking for something that is fairly secure without sacrificing a lot of speed.
View 2 Replies View RelatedI would like to configure my Debian Jessie system in this way.
Two partitions:
1) /boot on /dev/sda1
2) everything else on /dev/sda2
I want to encrypt the second partition with LUKS. And then install over it a LVM volume. Inside the LVM volume i will create the / (root), /var, /opt and /home virtual partitions. In this way, i'll get asked only once for the password to decrypt all partitions. Because if i don't use LVM, then i'll get asked for the password for each encrypted partition.
I can follow and understand almost everything of this HOW-TO for Archlinux: [URL] ....
Only two passages are unclear to me:
1) Configuring mkinitcpio
I don't understand what i should do here in order to complete this. What should i do in Debian to configure "mkinitcpio"? what is the equivalent thing to do here?
I thought that the kernel would automatically recompile itself with all installed modules on the Debian system, once cryptosetup/LUKS or LVM2 get installed.
2) Configuring the boot loader
I don't understand what should i write in /etc/default/grub. Will GRUB automatically load the LUKS and LVM2 modules? Also, I don't think that i could boot the system in this way:
cryptdevice=/dev/sda2:LVM root=/dev/mapper/LVM-????
Actually the "root=" volume is the whole volume to mount as LVM. It isn't the final root partition.
I'm planning a fresh F13 install, with separate partitions for /boot, /home, /tmp, /, and swap. All but /boot will be logical volumes, and I'd like to encrypt all but boot. If I encrypt the underlying partitions, is there any reason to also encrypt the logical volumes themselves?
my system will be:
HP dv6-3040us Pavillion laptop
AMD Phenon II
4GB DDR3
I'd like to know if there's a simple way to create a LUKS encryption drive with different passwords? A real one that leads to one set of data, and another that leads to a whole different set of data. Is this even possible with LUKS?
View 1 Replies View RelatedI know how to mount it manually. I've seen a howto on how to mount it automatically by loging in with the user, you type your username and password and it mounts your encrypted partition. But that's not what I want. My idea is to call cryptsetup and mount on boot, AND ask me for passphrase like when its loading the system, then if I don't type the right password it shouldn't mount /home, even though i type the correct USER password later when the system is loaded(and then I'd have an empty /home since my home partition wasn't mounted due to wrong passphrase).
This is what I tried: I added the commands to rc.local and I don't even feel like it was executed, no passphrase was asked. As a test if commands there were being executed, I tried simple commands lile mkdir /test and it worked. So commands there are executed, yet, no passphrase was asked to me, I looked on dmesg for crypt and found nothing, I pressed alt+ctrl+F1 desiring to find a passprhase-ask and again, nothing.
I am compiling some software (JWM) and it says that I must install the "development headers" for X11 and Xlib.My main question is, how will installing those packages affect my system.My less main question is how do I install them?
View 1 Replies View RelatedWill deleting dev/sda partition table ( msdos ) affect my windows 7 system? I am trying to install Fedora 15 on Virtual Box.
View 1 Replies View RelatedI plan to use newsbeuter for console RSS reading.This program has a config text file where I need to store my Google account password,in order to access my Google reader.I don't feel easy at making my password readable to everyone.Is there anyway I can somehow encrypt this information ?
View 1 Replies View RelatedI would love to be able to use TrueCrypt consistently across all my machines, be they Windows or Linux. As it stands, I can do full-disk encryption with pre-boot authentication only on Windows.
I don't really understand why this is. Are there technical challenges specific to Linux/Mac that make full disk encryption harder? Does anyone know whether TrueCrypt will support this in the near future.
PS. yes, I'm aware that there are other options. My goal is to simplify my life here and use the one tool across all machines.
I have two basically identical harddrives that are encrypted with LUKS containing a complete debian installation:
Code: Select allroot@x200s:/home/b# lsblk --fs
NAME FSTYPE LABEL UUID MOUNTPOINT
sda
├─sda1 ext2 0b851969-281e-4db2-8a5b-3798e801711b /boot
├─sda2
└─sda5 crypto_LUKS cfcf63ef-448a-4f72-9f58-8f7731cf3dfc
└─sda5_crypt LVM2_member 21CS3f-SQeQ-XcMr-kyDs-OPtR-egmT-HkvJAu
[Code] ....
sda is what I currently run to write this text, sdb is my former harddrive, connected via USB.
I want to access the root partition on sdb.
The problem is:
Code: Select allcryptsetup luksOpen /dev/sdb5 oldhd
Enter passphrase for /dev/sdb5:
root@x200s:/home/b# ls /dev/mapper/
control oldhd sda5_crypt x200s--vg-root x200s--vg-swap_1
root@x200s:/home/b# mount /dev/mapper/oldhd /mnt/
[b]mount: unknown filesystem type 'LVM2_member'[/b]
[Code] ..
Before all this, both sda and sdb where in the same volume group. I renamed the volume group of sdb to "oldDisk"
using
Code: Select allvgrename <UUID> oldDisk
How I can access the data on the root filesystem of my sdb..
I added a directory to the $PATH variable in /etc/profile. This works for my user account but not for root. It's easy to add it to my /root/.bashrc but I would like to understand whats's wrong. It's a widely unmodified Debian 6 so I think my changes should do the trick.
Here is what my /etc/profile looks like:
# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).
if [ "`id -u`" -eq 0 ]; then
[code]....
Edit: The path I added is the distcc-stuff. Here is what echo $PATH tells me:
$ echo $PATH
/usr/lib/distcc/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
There are not SSDs with TRIM support available in my region that fit into my laptop (1.8", IDE, ZIF). I'm running Ubuntu 10.10.
Most articles (or questions on superuser) I've come across concering TRIM (or the lack thereof) date back to 2009, when not many SSDs with TRIM support were available and OS support was still very fresh.
I'm interested in the current situation, but I couldn't find too much information about it.
What are currently the "best practices" for using an SSD without TRIM under Linux?
I've read about the wiper script included with hdparm. Do I understand correctly that I could use this to free unused blocks, e.g. by running it once a month?
Some sources state that HFS+ (the default-filesystem of Mac OS X) doesn't suffer as badly from lack of TRIM as other filesystems. How about linux filesystems? Are there filesystems that are better suited for SSDs without TRIM than others?
My partition /dev/sda3 on an SSD drive doesn't contain any filesystem, but it contains garbage. How do I do a TRIM/DISCARD operation on the whole partition?
View 2 Replies View RelatedA while back I installed Dreamlinux 3.5 Gnome edition using ext2. When I attempted to use the email address books I imported from the Dreamlinux3.5 XFCE edition, which had been ext3, I discovered that none of the email addresses could be mailed to. I had to manually type in the addresses.
When I reinstalled Dreamlinux 3.5 Gnome using ext3, the same backup files that did not work in ext2 now work just fine. The question is, was this a "broken data" problem caused by the switch to ext2 file system or something else? Has anyone else experienced this?
The mail program is Thunderbird.
I have a bunch of files (around 900) that have some special characters. Some of the files contains example, and quoting "[useless] filename (something)"so what I want is just to strip the brackets and parenthesis, some are folders, others are text files
View 1 Replies View RelatedI wrote this script which works but it should run automatically about once per week. I hunted and experimented with KDE Task Scheduler (no dice and no help anywhere) and cron (confusing instructions and cannot edit crontab -e with vim, and cannot enter cron folders/files). I would settle for a desktop shortcut to run the script but found no for that.
Script:
Code:
#!/bin/bash
xterm -hold -e fstrim -v /
Machine:
OS: openSUSE 11.4 x86_64
[code].....
I need a FREE solution that can image an entire Luks system encrypted volume and the rest of the used HDD, the MBR and /boot partition. Note: MBR and /boot are not encrypted. Note 2: I want to be able to restore entire drive from image with only a couple of steps. Note 3: Destination HDD space is a factor. Image file must be compressed and the image file must be around 40 to 50 GB or less. The smaller the image the better.
I have used clonezilla live cd before but not for encrypted volumes. I know you can install it in Linux. But, I don't know how to configure it after installation. I would be very happy if someone could tell me how to configure clonezilla in Fedora. How to guides are also welcome. I have one more question. If I image the encrypted volumes and all the stuff I mentioned above while logged in to Fedora, and I restore the drive from the image, will the recovered drive still be encrypted?
Does anyone know any software for whole system drive encryption for Linux, I used to use truecrypt for windows, but truecrypt doesnt support system/OS partition/drive encryption....
View 4 Replies View Relatedi have hd encryption activated on my swap and home disks. now every 20 min or so (not really periodic but definetly reproduceable) my system hangs completely for about 4 - 10 sec while the hd led is on. i have a dual core cpu which makes this even more odd. could this be a side effect of hd encryption especially on the swap partition?
View 3 Replies View RelatedI'm trying to write a GUI text encryption application. I wrote the encryption system in a No GUI application like this::
[Code]...
Now I'm trying to write a GUI version, using the same algorithm. Here goes a rough image of my main window code. If you scroll down you'll observe a coloured part. As you see, the text in the first textbox gets copied into clipboard. That is the part where my encryption system should encrypt the data in the clipboard, and copy it again, and later on the new data will be pasted. How am I supposed to write that? If I have to use another signal, what is the receiver of that signal?
[Code]...
how to implement a password login system that both sends passwords over the internet in an encrypted form (so my users don't get that annoying message saying "this web site is about to send your password in an unsafe form..." and stores its user data in a MySQL database? This seems to need a combination of mod_auth_digest and mod_auth_mysql.
View 1 Replies View RelatedKernel 2.6.21.5, Slackware 12.0
KDE 3.5.7
(Mozilla) Firefox 2.0.0.4
Do color settings in the desktop environment affect color in the web browser? Thanks.
I need to move a LUKS encrypted partition to the end of a harddrive to expand another partition. Does anyone know how to do this?
Is it possible to do this with other partition editing programs?
Gparted doesnt support LUKS/LVM