On Sat, 26 Nov 2011 13:00:24 +0530 "J. Bakshi" <baksh...@gmail.com> wrote:
> On Sat, 26 Nov 2011 00:00:05 -0700 > Bob Proulx <b...@proulx.com> wrote: > > > J. Bakshi wrote: > > > I am always interested in Full disk encryption for my laptop ( i5 + > > > 3 GB ), but what makes me stop is the thinking of performance > > > lag. Recently I have seen an ububtu laptop ( i5 + 4 GB ) with full > > > disk encryption and it is performing normal, haven't found any > > > lag... > > > > I have been using full disk encryption on my 2004 T42 1.7GHz Pentium M > > with 1G ram without any significant performance issues. Before I > > installed it I benchmarked building various projects of mine both on > > an installation without encryption and then on an installation with > > encryption. I don't have the data from that handy now but I recall it > > being rather not a big deal. The safety of the encrypted disk was > > much more significant. > > > > That was on my old 1.7GHz Pentium M with 1G of ram. Any faster > > machine should perform better. Your i5 should blow it away on > > performance. I wouldn't have a concern at all. > > > > > So I am interested to give the FUD a try on my own laptop. How can I > > > proceed ? My laptop is debian wheezy with lots of important > > > data.. so backup is must.. but what next ? What configuration will > > > give me a better performance , LVM based or simple partition based ? > > > Presently excluding swap I have 3 reiserfs partition for / ; /home > > > and /movie ... no LVM. Like to hear some feedback from you guys.. > > > > AFAIK you cannot hot-convert your system. You will need to create the > > filesystem fresh in order to have an encrypted filesystem. That > > obviously means that you should back up everything and offline > > someplace so that you can restore your files later. Because you can't > > convert them in place. > > > > But it also means that you have the same opportunity that I had. > > After backing everything up so that you can install a clean system you > > should install several different configurations and then benchmark > > each of those configurations. Keep track of the data so that you can > > compare the performance of each. Nothing is as powerful as an actual > > example with data. > > > > One configuration should be a fresh install with no encryption as a > > control. That should be your baseline peak performance configuration. > > One test case should use the smallest encryption key. One test case > > should use a large encryption key. (IIRC you have choices of AES 128, > > 196 and 256 bits or something like that.) Having data in your hand > > you won't need to believe FUD and can use the results you have > > determined. I am confident you won't have any reason not to use full > > disk encryption. There will be a performance hit but it provides > > safety that is unobtainable otherwise. > > > > The way I like to set up the system is to set up /boot in its own > > partition on /dev/sda1. Then set up the rest of the disk in /dev/sda5 > > as a logical partition for an encrypted partition. Then use that > > encrypted partition for one large LVM volume. This includes swap. > > You definitely want to encrypt swap along with everything else. Only > > /boot is unencrypted so that it can ask you for the encryption key and > > then load the operating system. Everything else goes into a large lvm > > volume on a large encrypted partition. With only one encrypted > > partition it will ask you for the passphrase only once. (Some people > > make the mistake of creating many encrypted partitions and then get > > asked the passphrase for each and every one of them at boot time. > > Definitely not as friendly.) > > > > Then partition out space for swap and your choice of filesystem > > partition assignments. For my laptop I put everything in one large > > root partition. I am the sole user and it doesn't operate without me > > in attendance and therefore I know what is going on with it. (For a > > server I *always* split out /var and quite a few other partitions for > > a small of a root partition as possible and resizable partitions for > > dedicated applications.) > > > > Bob > > > Hello Bob, > > Fell good to hear your experience. > Thanks for the config and tips ... I'm doing some more reading on it. > I am going for FDE soon :-) > > many many thanks Forgot to mention: apache, mysql are also running... so don't know the performance hit after full disk encryption -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111126130429.5d24b...@shiva.selfip.org
