piorunz: > > I have question regarding whole disk encryption. What technology should > I use, to have encryption of everything, or at least /home, but preserve > free blocks and have TRIM?
The canonical answer is "LUKS". You can configure it during installation if you want to. I always use LVM as well. It is up to you whether you want to use LVM on LUKS or the other way round. I am not sure how well full-disk encrpytion is supported nowadays. For common scenarios (like loss or simple theft of the storage medium, no state-level attackers) you do not need it, in my opinion. Oh, the buster release notes mention that encrypted /boot is not supported, everything else may be encrypted, even the root filesystem. https://www.debian.org/releases/buster/amd64/ch06s03.en.html#partman-crypto If you think you need protection against somebody tampering with your boot loader and/or kernel, you need to configure Secure Boot which I have never really looked at. I guess this is overkill for now. > I don't want encryption to use entire drive > as "full" blob, I want to preserve SSDs life. I am not sure what this means and whether there is any relation between "full blob" and life-preserving measures. But let me assure you that your SSD will be fine, not matter how you are setting up encryption. You can set up both LUKS and LVM to pass through the "discard" command which you need for TRIM to work and this is more of a performance measure than a method to reliably lengthen the lifespan of your SSD. How long do you think you will need your SSD? I recently removed an Intel X25m from an old system. It was more than ten years old and was first used heavily in a laptop and later on ran 24/7 for several years as OS drive in a NAS system. And that SSD didn't even support TRIM! Do not worry about the lifetime of your SSD. Worry about backups. You use LUKS by telling it which disk partition it should encrypt. You then get a new logical block device which you can treat like any "real" partition. Most importantly, you can create a regular filesystem on it (or an LVM physical volume) which is encrypted before anything is written to the physical disk. The amount of free space in your filesystem is not dependent on having a LUKS container beneath it. > What solutions should I > use? Thanks! Get familiar with LUKS and possibly LVM. There are options like ecryptfs which work on regular filesystem and encrypt individual files as well as their names. But those are -- When standing at the top of beachy head I find the rocks below very attractive. [Agree] [Disagree] <http://archive.slowlydownward.com/NODATA/data_enter2.html>
signature.asc
Description: PGP signature
