On 02/04/2015 02:20 PM, Celejar wrote:
> Hi,
>
> I am preparing a USB external HDD for use with my T61 ThinkPad (Core 2
> Duo CPU T7300 @ 2.00GHz). The disk will fulfill two, very different
> functions: general backup for files (mail, documents, etc.) via
> rsnapshot (rsync type backup), and overflow storage for my full main
> HDD ("big" files such as media: audio, video, PDFs).
>
> For the backups, I need encryption; the media storage doesn't require
> it. Currently, I use different partitions on my external disks: plain
> for storage, and encrypted (dmcrypt / LUKS) for the backups (and
> storage of sensitive information). This obviously adds complexity, so
> I'm thinking of going to one encrypted partition for everything. The
> obvious possible downside is performance: everything I read indicates
> that there is a significant hit, even on modern hardware, but I don't
> really know if it's current, accurate, or relevant to my use case.
>
> What would the experts recommend: one partition for everything for
> simplicity, or separate ones for a possible performance advantage?
>
> Celejar
>
> Hello, Personaly, I use full encryption and each partition is on a logical volume, with LVM physical volume encrypted. Say I have /dev/sda2 of 100GB, it is encrypted with luks. I open this luks volume and setup LVM with pvcreate on /dev/mapper/luks_sda2, then create my LV. About performance downside, if you have a recent processor with aesni instructions (for intel, dunno for AMD but they have the same feature too), the Linux kernel does have a module to handle hardware encryption, which speeds up the job. But, in both cases (with or without instructions), you will not really notice any difference even with a quite old processor, like core i2. You may find it a little slower at machine's first boot. If we speak about Desktop computers. Never tried to setup encryption on loaded servers. Also, I dont really understand why you want to do "half encryption". Only backups and not other things? Sounds strange to me. But you're free to do so of course.
signature.asc
Description: OpenPGP digital signature
