On Sat, 26 Nov 2011 00:00:05 -0700 Bob Proulx <b...@proulx.com> wrote:
> J. Bakshi wrote: > > I am always interested in Full disk encryption for my laptop ( i5 + > > 3 GB ), but what makes me stop is the thinking of performance > > lag. Recently I have seen an ububtu laptop ( i5 + 4 GB ) with full > > disk encryption and it is performing normal, haven't found any > > lag... > > I have been using full disk encryption on my 2004 T42 1.7GHz Pentium M > with 1G ram without any significant performance issues. Before I > installed it I benchmarked building various projects of mine both on > an installation without encryption and then on an installation with > encryption. I don't have the data from that handy now but I recall it > being rather not a big deal. The safety of the encrypted disk was > much more significant. > > That was on my old 1.7GHz Pentium M with 1G of ram. Any faster > machine should perform better. Your i5 should blow it away on > performance. I wouldn't have a concern at all. > > > So I am interested to give the FUD a try on my own laptop. How can I > > proceed ? My laptop is debian wheezy with lots of important > > data.. so backup is must.. but what next ? What configuration will > > give me a better performance , LVM based or simple partition based ? > > Presently excluding swap I have 3 reiserfs partition for / ; /home > > and /movie ... no LVM. Like to hear some feedback from you guys.. > > AFAIK you cannot hot-convert your system. You will need to create the > filesystem fresh in order to have an encrypted filesystem. That > obviously means that you should back up everything and offline > someplace so that you can restore your files later. Because you can't > convert them in place. > > But it also means that you have the same opportunity that I had. > After backing everything up so that you can install a clean system you > should install several different configurations and then benchmark > each of those configurations. Keep track of the data so that you can > compare the performance of each. Nothing is as powerful as an actual > example with data. > > One configuration should be a fresh install with no encryption as a > control. That should be your baseline peak performance configuration. > One test case should use the smallest encryption key. One test case > should use a large encryption key. (IIRC you have choices of AES 128, > 196 and 256 bits or something like that.) Having data in your hand > you won't need to believe FUD and can use the results you have > determined. I am confident you won't have any reason not to use full > disk encryption. There will be a performance hit but it provides > safety that is unobtainable otherwise. > > The way I like to set up the system is to set up /boot in its own > partition on /dev/sda1. Then set up the rest of the disk in /dev/sda5 > as a logical partition for an encrypted partition. Then use that > encrypted partition for one large LVM volume. This includes swap. > You definitely want to encrypt swap along with everything else. Only > /boot is unencrypted so that it can ask you for the encryption key and > then load the operating system. Everything else goes into a large lvm > volume on a large encrypted partition. With only one encrypted > partition it will ask you for the passphrase only once. (Some people > make the mistake of creating many encrypted partitions and then get > asked the passphrase for each and every one of them at boot time. > Definitely not as friendly.) > > Then partition out space for swap and your choice of filesystem > partition assignments. For my laptop I put everything in one large > root partition. I am the sole user and it doesn't operate without me > in attendance and therefore I know what is going on with it. (For a > server I *always* split out /var and quite a few other partitions for > a small of a root partition as possible and resizable partitions for > dedicated applications.) > > Bob Hello Bob, Fell good to hear your experience. Thanks for the config and tips ... I'm doing some more reading on it. I am going for FDE soon :-) many many thanks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111126130024.4a40d...@shiva.selfip.org