View previous topic :: View next topic |
Author |
Message |
qsuscs n00b
Joined: 11 Jan 2014 Posts: 6
|
Posted: Sun Feb 16, 2014 6:18 pm Post subject: SSD in notebook: Partitioning, LUKS/dm-crypt, LVM, swap |
|
|
Hi there,
so I bought a new SSD for my notebook, a Crucial M500 CT240M500SSD1. Since a notebook is way easier to steal than a desktop (which has just plain ext4 on GPT), I want to encrypt the file system while being as SSD-friendly as possible.
- Partitioning: Is it enough to start on sector 2048 and align the Partitions to Mebibytes?
- LUKS/dm-crypt: Is there a good list/comparision of available ciphers? I didn’t manage to find one. Also, the Intel Core i5-520M has AES extensions, so that should be quite fast, shouldn’t it?
I know that leaving the free space free is a security decrease, but improves SSD lifetime, how do I set that?
- LVM: Same thing, are the volumes by default aligned on MiB boundaries?
Do I want that “thin” stuff?
- ext4: Is -o discard enough or should I enable other tweaks?
- swap: It is required for hibernate, but swapping to the SSD is to be avoided. Is it enough to set vm.swappines=0?
|
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3150
|
Posted: Sun Feb 16, 2014 8:49 pm Post subject: |
|
|
if you haev hardware support for AES, it's a no-brainer, just use it.
Also, if you encrypt your partitions, don't forget to encrypt swap as well.
Setting swappiness to 0 means "don't use swap unless you run out of RAM space", so yeah, it's pretty much enough.
Do you have any reason to use LVM? You only have a single SSD, right?
I think LUKS doesn't write random stuff to empty space itself, and you have to initialize it yourself if you want to have it randomized. Reffer to the manual to make sure though |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 21706
|
Posted: Sun Feb 16, 2014 9:56 pm Post subject: |
|
|
Writing noise to the empty space can be useful to combat certain classes of cryptanalytic attacks. However, if your concern is only that you want to block the typical thief, encrypting the filesystems with a secure password should be sufficient. |
|
Back to top |
|
|
qsuscs n00b
Joined: 11 Jan 2014 Posts: 6
|
Posted: Sun Feb 16, 2014 11:18 pm Post subject: |
|
|
szatox wrote: | Also, if you encrypt your partitions, don't forget to encrypt swap as well.
Do you have any reason to use LVM? You only have a single SSD, right? |
That's your answer
And yes, it’s a 12″ notebook, so only one 2.5″ drive.
I now partitioned with gdisk and aligned everything to Mebibytes and created the LUKS and all the LVM stuff just without any further options (cryptsetup luksFormat, pvcreate, vgcreate, lvcreate).
I have no particularly important data to hide (like e.g. a journalist like Glenn Greenwald), and I’m not that paranoid, so yes, it’s basically “blocking the typical thief”. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|