If you want to encrypt the filesystem, I would suggest encrypting individual partitions rather than the whole disk. If you have a multi-core (or multi-CPU) system, encryption of internal disks is not really an issue (performance-wise). However, if you wanted to encrypt some high-performance disks presented to the server from a disk array, that would be a different story. Run an openssl benchmark to see how much data one core from your system can encrypt/decrypt per second. Choose encryption algorithm accordingly (if you want speed, AES-128 is pretty fast or you can also choose blowfish or twofish if your system supports it). Also, if your partitioning scheme is fine, encrypting /usr or root usually does not have any security benefits. If possible, encrypt sensitive data only - apart from a slight performance boost, it will make your life a bit easier in case of a system crash etc... I have no experience with encryption in RHEL but I am using encryption on two Gentoo systems and it works like a charm.
Regards, Morgan -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of solarflow99 Sent: Monday, December 06, 2010 9:03 PM To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list Subject: Re: [rhelv5-list] RHEL 5.5 and disk encryption for productionservers I use luks encryption a lot although not on rhel 5.5 but its the same thing. Its possible to encrypt everything except /boot, and when running top I could see dm-crypt was barely taking up any and cpu load or throughput. If you want to resize a logical volume though, then it has to be done at the command line and include the cryptsetup command, s-c-lvm can't handle encrypted volumes. https://bugzilla.redhat.com/show_bug.cgi?id=517759 On Mon, Dec 6, 2010 at 10:54 AM, Musayev, Ilya <[email protected]> wrote: > We are considering encrypting some of our production disks as additional > security measure. We are planning on using 5.5 in production in the near > future. Previously, when 5.5 came out - we tested it in non-prod and > discovered numerous bugs. The level of confidence for 5.5 release dropped > sharply. Nevertheless, the bugs have been resolved and it appears to be > stable now. > > Has anyone used the disk encryption on 5.5 in production? How much > performance degradation (if any) have you experienced? What type of servers > would you put encryption on and what would you avoid? Are you using whole > disk or selected partitions? > > Thank you > -ilya > > > > > > > _______________________________________________ > rhelv5-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/rhelv5-list > _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
