meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux:fs:luks [2015/04/10 21:16]
niziak 		linux:fs:luks [2021/02/17 08:51] (current)
niziak
Line 1: Line 1:
-[[https://​wiki.archlinux.org/​index.php/​Dm-crypt/​Encrypting_an_entire_system|https://​wiki.archlinux.org/​index.php/​Dm-crypt/​Encrypting_an_entire_system]]+[[https://​wiki.archlinux.org/​index.php/​Dm-crypt/​Encrypting_an_entire_system|https://​wiki.archlinux.org/​index.php/​Dm-crypt/​Encrypting_an_entire_system|dm-crypt/​Encrypting an entire system]]
  
 ====== LUKS on LVM vs LVM on LUKS ====== ====== LUKS on LVM vs LVM on LUKS ======
Line 8: Line 8:
   - good for multiuser environment   - good for multiuser environment
   - root system can be on unencrypted partition (no password to boot). The same can be achieved with LVM on LUKS on separate partition.   - root system can be on unencrypted partition (no password to boot). The same can be achieved with LVM on LUKS on separate partition.
 +  - Volumes can span on multiple drives
 +  - LVM cache is caching encrypted data (no unecnrypted data leak to cache device).
 +    - one common SSD cache device can be used if you have encrypted (data) and unecrypted (system) partitions on LVM
  
 LVM on LUKS (preffered) LVM on LUKS (preffered)
Line 15: Line 18:
   - one unlock of block device give access to all LVM volume created on it.   - one unlock of block device give access to all LVM volume created on it.
   - it is easier to change volumes sizes without touching encryption layer   - it is easier to change volumes sizes without touching encryption layer
 +  - LVM cache is caching decrypted data
 +    - workaround: encrypt also cache device, but for mixed setup (unencrypted and crypted partition) it is need to divide cache device into 2 volumes to serve unencrypted cache for system (no need to provide unlock password).
  
 +====== Performance ======
 +IT depends on HW acceleration
 <​code>​ <​code>​
 cryptsetup benchmark cryptsetup benchmark
 </​code>​ </​code>​
 +Best choice for AMD A4-5300 APU:
 +<​code>​
 +# Tests are approximate using memory only (no storage IO).
 +PBKDF2-sha1 ​      ​448876 iterations per second
 +PBKDF2-sha256 ​    ​352344 iterations per second
 +PBKDF2-sha512 ​    ​362077 iterations per second
 +PBKDF2-ripemd160 ​ 500274 iterations per second
 +#  Algorithm | Key |  Encryption |  Decryption
 +     ​aes-cbc ​  ​128b ​  429.0 MiB/s  1275.9 MiB/s
 +     ​aes-cbc ​  ​256b ​  333.0 MiB/s   770.0 MiB/s
 +     ​aes-xts ​  ​256b ​  903.8 MiB/s  1023.9 MiB/s
 +     ​aes-xts ​  ​512b ​  902.7 MiB/s   928.5 MiB/s
 +</​code>​
 +
 +
  
 ====== Advices ====== ====== Advices ======
Line 65: Line 87:
   * increase number of iterations (default it is set to 1000 ms)   * increase number of iterations (default it is set to 1000 ms)
  
-===== Setup /dev/sda5 as LUKS device: ​===== +===== Fill with random data ===== 
 +<code bash>​badblocks -c 10240 -s -w -t random -v /​dev/​sda5</​code>​ 
 +or (faster, only writes). Block size for dd has to be big, to avoid re-reading data from encrypted block.
 <​code>​ <​code>​
 +cryptsetup open --type plain /dev/sda5 tempcontainer
 +dd if=/​dev/​zero of=/​dev/​mapper/​tempcontainer bs=64M
 +cryptsetup luksClose tempcontainer
 +</​code>​
 +
 +===== Setup /dev/sda5 as LUKS device: =====
 +<code bash>
 cryptsetup luksFormat -y -v /dev/sda5 cryptsetup luksFormat -y -v /dev/sda5
 </​code>​ </​code>​
  
-will create by default **aes-xts-plain64** ​ 256bits+will create by default **aes-xts-plain64** ​ 256bits.
  
-<​code>​+Another examples: 
 + 
 +<​code ​bash>
 cryptsetup luksFormat --cipher aes-cbc-plain --key-size 256 /dev/sda5 cryptsetup luksFormat --cipher aes-cbc-plain --key-size 256 /dev/sda5
 cryptsetup luksFormat --cipher aes-cbc-plain --key-size 256 --hash sha1 -i 2000 --use-random /dev/sda5 cryptsetup luksFormat --cipher aes-cbc-plain --key-size 256 --hash sha1 -i 2000 --use-random /dev/sda5
-cryptsetup luksFormat --cipher aes-cbc-essiv:​sha256 --key-size 256 --v /dev/sda5 +cryptsetup luksFormat --cipher aes-cbc-essiv:​sha256 --key-size 256 --verify-passphrase ​-v /dev/sda5 
-cryptsetup ​-y -v --cipher aes-xts-plain:​sha256 ​--key-size 256 luksFormat ​/dev/sda5 +cryptsetup ​luksFormat ​--cipher aes-xts-plain --key-size 256 --verify-passphrase -v /dev/sda5 
-cryptsetup ​-y -v --cipher aes-xts-plain:​sha256 ​--key-size 512 luksFormat ​/dev/sda5+cryptsetup ​luksFormat ​--cipher aes-xts-plain --key-size 512 --verify-passphrase -v /dev/sda5
 </​code>​ </​code>​
  
-<​code>​+<​code ​bash>
 cryptsetup --verify-passphrase -v --cipher aes-cbc-plain64 --key-size 128 --hash sha512 --iter-time 3000 --use-random luksFormat /dev/sda5 cryptsetup --verify-passphrase -v --cipher aes-cbc-plain64 --key-size 128 --hash sha512 --iter-time 3000 --use-random luksFormat /dev/sda5
 +</​code>​
 +
 +<code bash>
 +cryptsetup luksFormat --cipher aes-xts-plain --verify-passphrase -v  --key-size 512  --hash sha512 --iter-time 3000 --use-random /dev/sdb6
 </​code>​ </​code>​
  
Line 94: Line 130:
  
 <​code>​ <​code>​
-cryptsetup status sda5 cryptsetup luksDump /dev/sda5+cryptsetup status sda5  
 +cryptsetup luksDump /dev/sda5
 </​code>​ </​code>​