Full Disk Encryption (LAPTOP users only)

[Hu]

If you do not have a backup mechanism for opening the drive, yes. I was looking only at the perspective of enabling unattended boot. For recovery in the event of a drive failure, you would also want to have a separate copy of the key file (preferably stored off site), or have the drive also accept a password you memorize.

[eccerr0r]

Anyone actually do this? :D

What do people do for servers in this case, assuming the main reason for encryption is for ensuring used drives do not contain recoverable data? Or do they just bite the bullet and password or keep a USB key with the encryption key on it (and eat the USB key if it fails... which isn't too bad as a 8MB USB key will be plenty big)?

I figure that for the server theft paranoia case, 2FA is needed (password protection with key on another drive) or perhaps password is sufficient, just that automated boot won't be possible.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[steve_v]

[pa4wdh]

[Leonardo.b]

On my laptop I have an encrypted partition for my personal files. I might do full disk encryption out of simplicity, but I never bothered to change.

I think USB pendrive have some magnetic component inside.
If you eat magnets, they may stick together inside your body, stuck somewhere, and kill you.
I don't raccomand this.
To eat an SD card should be much safer, IMHO.

[pjp]

[eccerr0r]

[szatox]

[eccerr0r]

was looking at some cryptsetup benchmark results and they are all very similar, except if you have AES-NI instructions then AES is much faster... Would be nice if there was one that was significantly faster, but I suppose the algorithms presented are all "military grade" (thought some were candidates for AES?) so that doesn't help much.

BTW when saying 1-step, it's one step per byte (unless when possibly using sse/mmx and of course aes-ni instructions) so it's still multiplied out by the number of bytes being worked with, and the cache misses caused by the extra code and the key that the cipher needs to constantly check...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[Hu]

[eccerr0r]

Alas I view objects as want not - waste not. I know there are people out there that enjoy destroying things to little pieces, including using these things as target practice, etc. While some of these devices do get so old that their value is near zero, it's not exactly zero - even with the device nonfunctional. I'd be happy to give people drive heads or spindle motor or circuit board they could use to salvage another drive - as long as they don't try to recover my data on the disk.

There's still a nice chunk of high grade aluminum (the chassis -- how many beer cans could you make with a 3.5" disk chassis?) and neodymium "rare earth metals" in the drive, which are still valuable as long as it's not contaminated by mixing with other stuff like the steel cover. People can have the drive for recycling, as long as the data on the drive cannot be recovered.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[Hu]

In that case, you would need to disassemble the drive yourself and hand out the non-data portions to deserving recipients, but retain the platters for destruction - or just retain them until they become so old that any data on them is no longer relevant to anyone.

[eccerr0r]

Maybe the first time I see any indication of the drive will fail soon...encrypt it.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[skiwarz]

[dbtx]

[eccerr0r]

SSDs I'm not sure about what to do. Luckily most of the SSDs I have already expired their warranties so I have to eat them when they die.

Also, fortunately, SSDs have zero valuable components when they die, unlike hard drives...

---

As for an Athlon II x2, funny, I also set up a box specifically with a cryptoroot over RAID. Yes I feel a bit of sluggishness when I use it, but it's not nearly as bad as the Celeron 1200. The Athlon II is a significantly faster machine, however; though probably my expectations from the Athlon cryptoroot is just to exceed that of the Celeron 1200, which is not very hard to do...
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[sublogic]

[dbtx]

[sublogic]

[forrestfunk81]

Using encrypted disks on my machines since almost 15 years now. And I never had significant performance issues.

Some years ago I started moving my EFI partition with kernels and initramfs to USB. That adds a second factor to the authentication (besides the encryption password).

My only machine without full disk encryption is a virtual server. I thought about setting up an initramfs with basic network support and sshd to decrypt the disk. I will probably do it next time when switching to a bigger storage.
_________________
# cd /pub/
# more beer

[eccerr0r]

I haven't tried FDE with my AES-NI capable machines but my core2 machines do hide the additional CPU consumption a bit, but indeed I can feel the slowdown if I'm streaming bytes to/from the disk. All earlier machines it's a huge performance hit (my 1.2GHz P3 (Celeron) is significantly impeded by the encryption).

One of my laptops does support AES-NI and is a candidate for FDE though Win7 would not be very compatible with cryptsetup... however my SSD would not like it as it depends on compression for speed and reducing blocks written.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[SiberianSniper]

My laptop has AES-NI and the encryption layer overhead hasn't been noticeable to me. Sure, it's a "portable workstation", but I'm not running anything too crazy on in.

The setup I use is *almost* FDE. The /boot partition is unencrypted, and I have a custom ramdisk to show a motd, set the keyboard rate (it sometimes registers key presses double if I don't), ask for the decryption passphrase, and run nyancat if it's entered incorrectly three times. The remainder of the drive is all one / partition on luks. I have a second drive for more user data, and it has two luks passphrases, one being a random-data file stored in /root so it can be mounted automatically, the other being one I know in case the first drive fails. This might not be the perfect setup, but it was pretty straightforward to build and has been more than adequate for me for the last few years.

[xgivolari]

Secure Boot + Unified Kernel / Initramfs image measured into the TPM + LUKS FDE with AES-NI + kernel lockdown because why not Although at the moment, the TPM decrypts my disk automatically at boot if the value of PCR 0 + 7 matches because I'm too lazy to enter two passwords I only use password-based decryption when I'm traveling or similar.

[duxsco]

On my laptop, I use unified kernel images, secure boot, measured boot (systemd-cryptenroll with TPM 2.0 pin), FDE and btrfs/mdadm RAID.

My disk layout looks basically like:

[oxensepp]

For me, a unencrypted system is out of question.
Still using Sakaki's encryption setup on laptop and desktop.
I like the fact of needing the USB key AND a passphrase to decrypt the system. (have two USB keys so I can eat one and still boot the machine...)

Of course I noticed that the sakaki tools are long outdated. I am searching an alternative. Is there really nothing similar?
The gentoo handbook does not cover encryption at all, does it?