On 06/25/13 14:27, Brad Alexander wrote:
I'm going to be adding a 3TB drive to my fileserver, but I want to use LUKS
encryption. The fileserver is kinda long in the tooth, a 2.8GHz P4 with 2GB
of RAM.
The machine has two drive slots, currently with an 80GB and a 1.5TB drive.
What I was considering am using a 16GB thumb drive for the OS, then
encrypting and using the 1.5TB and 3TB for swap, /var, /tmp, and the rest
for data.
Toward that end, I have a few questions.
* Is using a thumb drive for / and /usr a bad idea? Would it be better to
set up the 1.5 TB with two VGs, one for the OS and one for data?
* Writing random data to the hard drive is going to take a *lot* of time. I
built a P4 box a while back with a 500GB drive, and as I recall, it took
somewhere around 40 hours to write random data to that drive...A 3TB will
take something over a week by my estimation. I was considering processing
it on my Quad-core AMD machine, but will that be any faster? I'm guessing
it will, since the bus speed is faster.
* If you have already randomized the drive and written encrypted data to it
(e.g. on the faster machine), is there a way to tell the installer that you
want an encrypted partition, but don't write random data to it?
Any thoughts would be welcome.
If you can figure out how to boot from USB and run from RAM, then
omitting a system drive could work. Otherwise, USB drives were never
intended to be system drives. You want an SSD.
Make sure you understand the difference between /dev/random and
/dev/urandom:
$ man urandom
While pre-filling a dm-crypt partition with random data is the "proper"
approach, you're correct in that it takes an impractically large amount
of time (especially using /dev/random). Yes, you can tell the Debian
installer not to randomize a crypto partition. I don't randomize my
LUKS partitions -- I fill the drive with zeroes using the manufacturer
diagnostic, reboot into Linux, partition, and feed them to LUKS as-is.
The way I see it, only major governments are going to have the resources
to crack LUKS, and they can and will either way if they so choose; so
why bother?
Seriously consider getting a current CPU with AES-NI. My 3.4E GHz P4 is
CPU bound at ~25 MB/s with LUKS. My i7-2600S can easily keep up with my
500+ MB/s Intel 520 Series SSD.
The newest Intel CPU's ("Haswell") have both AES-NI and a hardware
random number generator (Intel Secure Key). The later could make
randomizing a 3 TB drive practical.
HTH,
David
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/51ca67ed.7010...@holgerdanske.com
