James Gregory <ja...@james.id.au> writes: > I'm considering using device mapper's crypto support to encrypt the > entirety of my laptop's drive. This is a fairly permanent thing to do, > so I'm seeking some experiences with it to help me decide if it's a > good idea or not.
It works for me, and means that I can do development on my laptop[1] without needing to worry about the data confidentiality issues that many of the other staff here face. > I used it a few years back and found that it didn't play nice with > XFS, causing frequent lockups, which wasn't really what I was looking > for. Well, zero problems on that front: I have this stack, all working correctly, including suspend to disk[2]: 2 x SATA -> MD/RAID10 -> dm_crypt -> LVM pv -> LVM lv(s) -> XFS > It also burned a lot of cycles, making stuff like my frequent grepping > through source trees and image processing impractical. Now, the target > machine is much faster (a Thinkpad x61, C2D), but I don't really know > how C2D crypto performance compares to Pentium M, so it'd be good to > hear about that too. Well, that is going to depend on a whole lot of factors... I run this on a T61p, 2.6GHz Core2 Duo system with 4GB RAM and, as noted, 2 7200RPM SATA disks in RAID10/f2 setup, so the system is hardly short on power. I still find that it is a bit slow during very large writes, in that it can buffer quite a lot of writing and then slow down some from the encryption. OTOH, that is the only time that I really notice any performance cost; encryption never uses more than 5 to 8 percent of one 800MHz CPU, and disk reads are acceptable. That could just be cache effects, though: with 4GB I seldom put memory pressure on the machine, so I don't really touch the relatively slow disk that often during normal work. I also run 'preload', which observes running software and preloads pages from disk that are likely to be wanted, helping reduce wait times for code to load. I see that the CPU range for the X61 are all fairly acceptable, though, so I would expect reasonable performance. Certainly, this is a world of difference from the old Pentium-M machines — that CPU line should have been shot at birth, rather than inflicting their awful performance on the rest of us. (Why, yes, I am slightly bitter having used a P4-M CPU for five years, about how awful it was, since you ask. ;) Anyway, from experience having a RAID1, or better RAID10/f2, disk subsystem is probably the biggest contributor to performance: it turns the laptop from sluggish to pleasant, in my experience, regardless of the rest of the stack. > Finally, if I do go ahead with it, what's the easiest way to do it? I > recall Ubuntu having an alternative installer that could do it for me. > Is that the best way to go? I did that initially, which was reasonable, on a RAID1 and AES-CBC, which was reasonable. After about nine months I spent a little while poking deeper into the issue and ended up moving to the RAID10/f2 layout and XTS encryption; while the advantages are mostly theoretical in the later case the former certainly improve I/O responsiveness. In the later case I took advantage of the use of LVM to split the mirror, create a degraded array and encrypt it, then pvmove the data across to the new stack. > Any and all insights appreciated. Please CC me, as I'm not subscribed > to the list. I strongly advise that you do subscribe, at least while your questions are answered; certainly, I have little enthusiasm for responding to off-list questions compared to on-list ones. Regards, Daniel Footnotes: [1] ...which is pleasant and comfortable. [2] Technically, right now I don't have the last, but that is because the PITA graphics card requires non-free drivers. My own damn fault for compromising on that, I guess. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html