On 6/28/21 7:52 AM, piorunz wrote:
Hi all,
I've got about 5 years old HP laptop with SSD SATA drive 240 GB. Debian
Bullseye will be installed on it once it's released, as my secondary
computer to use.
I have question regarding whole disk encryption. What technology should
I use, to have encryption of everything, or at least /home, but preserve
free blocks and have TRIM? I don't want encryption to use entire drive
as "full" blob, I want to preserve SSDs life. What solutions should I
use? Thanks!
Booting a computer involves the motherboard firmware and one or more
stages of on-disk boot loaders. Boot loader stages, initial RAM
filesystem (initramfs), kernel, device drivers, system configuration
files, etc., must be available as plaintext when needed.
Software encryption (dm-crypt, Linux Unified Key System (LUKS), etc.)
for a system drive is typically applied to the swap, root, and/or data
partitions, but the master boot record (partition table and boot
loader), extensible firmware interface (EFI) system partition contents,
and boot partition contents are plaintext and easily modified by an
attacker with physical access. You will want a CPU with AES-NI or
equivalent to accelerate encryption/ decryption (should get 90%+
performance). Without AES-NI, performance will be fractional.
The simplest way to protect a drive at rest (e.g. powered off) is to get
a self-encrypting drive (SED). The motherboard firmware prompts for the
passphrase after the power on self test (POST) and before reading the
drive. Once the SED passphrase is entered, the entire drive appears as
plaintext. Encryption/ decryption is handled by hardware inside the
drive controller, at full performance.
I do not set the 'discard' (trim) option in fstab(5). If and when I
want to erase unused blocks (such as before taking an image), I use
fstrim(8).
I would not worry about wearing out a good SSD in a daily driver laptop.
I have been using Intel SSD 520 Series 2.5" SATA in my SOHO laptops,
desktops, and servers for many years; they all work and have available
lifespans in the high 90%'s.
Along with SED, I suggest that you also implement Secure Boot. This
provides cryptographic signatures and chain of trust for critical files,
such as boot loaders and the kernel, whenever those files are to be
executed (e.g. boot, dynamic loading, etc.).
Reset the CMOS settings to factory defaults, enable/ verify Unified EFI
(UEFI) mode, enable/ verify Secure Boot, and boot the Debian Installer
(d-i). Hopefully, everything should Just Work. If not, you may have to
modify the drive settings (Dell factory default for drives is 'RAID';
'ACPI' may be required). Take good notes, STFW, RTFM, and/or post here
if you have problems. Post your solution when you figure it out.
David
