[Discuss] encrypted linux systems

[kentborg at borg.org (Kent Borg)]

On 01/27/2014 10:48 AM, Stephen Adler wrote:
> I've run across an interesting situation at where where I'm required to
> encrypt my desktop at home since it's owned by the government. Any
> advice on how to best setup an encrypted linux system? Preferably using
> some kind of encrypted hardware device which will not kill my disk IO
> rate?

I have been running software-based (nearly) whole disk encryption for my 
last three-or-so personal laptops and it works well.  I am pleased with it.

/, /home, and my swap are all encrypted, only /boot is not, but that 
would be hard.  (For real paranoia, put /boot on a thumbdrive--though 
true paranoia should not stop there.)  Doing a suspend to encrypted swap 
is cool, unfortunately my current Linux installation doesn't seem to 
know how to do this on my current computer.

The speed seems good.  I think that modern CPUs with DSP-instructions 
can easily keep up with modern disks, and that the only speed penalty is 
losing a little total compute power.  I bet most of the time the disk 
remains the bottleneck and the CPU has plenty of cycles left over to do 
a little cryptography.  Buy a lot of RAM, let Linux cache things...

I think you don't want hardware encryption.  Probably more guff for 
little to no gain.  (And buggier and more expensive.)

To set it up I used the Ubuntu installer, the one with the geeky 
VGA-text interface.  As of Ubuntu 12.04 this was still confusing setting 
up the partitioning (LVM is always confusing, and one is stacking LVM 
and encryption and your file system in some order, and I always have to 
figure it out again).  I think it would have been easy had I been 
willing to run defaults, but I like specifying details.

It works.

-kb