FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 01-08-2010, 11:09 AM
randall
 
Default LVM+RAID+CRYPT

Sjors van der Pluijm wrote:

Op vrijdag 8 januari 2010 12:26:37 schreef Stan Hoeppner:


Sjors van der Pluijm put forth on 1/8/2010 5:13 AM:


3. Is it ok to have swap and /boot on an encrypted LVM?


Never run encryption on swap. Doing so merely burdens performance. I
doubt even NSA, CIA, MI6 encrypt swap partitions on workstations.

Well, I might heave read wrong, but I thought the Debian installer warned me
not to leave swap unencrypted while other partitions are encrypted. It makes
sense too: sensitive content could easily be written to swap.



i maintain a few laptops with encryption and i developed the following
habit.


/ 10GB
/home the rest + encryption

these are fairly new laptops with or more then 1GB RAM, simply not
having any /swap solves the problem and with enough RAM available i
never had any problem.


not having the / root partition encrypted leaves some room for trouble
shooting is the thought here since the sensitive information is in the
/home anyway.


not sure if this is the best way to do this but its simple and works
nicely in my experience.


Randall






--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-08-2010, 11:51 AM
Sjors van der Pluijm
 
Default LVM+RAID+CRYPT

Op vrijdag 8 januari 2010 13:40:00 schreef Γιώργος *άλλας:
> Stan Hoeppner wrote:
> > Sjors van der Pluijm put forth on 1/8/2010 5:13 AM:
> >> 3. Is it ok to have swap and /boot on an encrypted LVM?
> >
> > Never run encryption on swap. Doing so merely burdens performance. I
> > doubt even NSA, CIA, MI6 encrypt swap partitions on workstations.
> >
> > I've never tried to boot from an encrypted /boot, so I really can't say
> > if it would work or not. Why can't/won't you create 3 partitions?
> >
> > [boot] 100MB mounted as /boot normal ext2
> > [swap] 1-8GB mounted as normal swap partition
> > [root] [remaining space] mounted as /root and encrypted however you like
>
> I run a couple of identical machines, some with full disk encryption
> (i.e. everything including swap except /boot which you cannot encrypt)
> and some where only home is encrypted with LUKS. Never noticed any
> performance impact. I think that swap encryption is *mandatory* for the
> reason of there being written many things that shouldn't in case they
> are sensitive. And I guess this why the approach of the debian installer
> should you choose to encrypt includes swap encryption.
>
> G.
>

Ok, getting a clear picture here.
I will have /boot en / on a seperate partition. The remainer will be encrypted
and configured using LVM (/home, /tmp, /var and swap)

Thanks!


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-08-2010, 01:04 PM
Cassiano Leal
 
Default LVM+RAID+CRYPT

2010/1/8 Γιώργος *άλλας <gpall@ccf.auth.gr>:
> Stan Hoeppner wrote:
>>
>> Sjors van der Pluijm put forth on 1/8/2010 5:13 AM:
>>
>>
>>>
>>> 3. Is it ok to have swap and /boot on an encrypted LVM?
>>>
>>
>> Never run encryption on swap. *Doing so merely burdens performance. *I
>> doubt
>> even NSA, CIA, MI6 encrypt swap partitions on workstations.
>>
>> I've never tried to boot from an encrypted /boot, so I really can't say if
>> it
>> would work or not. *Why can't/won't you create 3 partitions?
>>
>> [boot] 100MB mounted as /boot normal ext2
>> [swap] 1-8GB mounted as normal swap partition
>> [root] [remaining space] mounted as /root and encrypted however you like
>>
>
> I run a couple of identical machines, some with full disk encryption (i.e.
> everything including swap except /boot which you cannot encrypt) and some
> where only home is encrypted with LUKS. Never noticed any performance
> impact. I think that swap encryption is *mandatory* for the reason of there
> being written many things that shouldn't in case they are sensitive. And I
> guess this why the approach of the debian installer should you choose to
> encrypt includes swap encryption.
>
> G.
>

I second most opinions here.

Mainly: NEVER leave swap unencrypted if encryption is for security
(i.e. anything more than just playing around with encryption) as any
data that's on your computer RAM might at some point be written to the
swap space and that has

Also, I would not leave / (root) unencrypted as that might hold
sensitive information too. In my work laptop I have custom entries in
/etc/hosts, I also have an apache/php setup that holds company info,
etc.

The recommended setup to encrypt everything but /boot is good and I
could not perceive any performance degradation (even though I'm sure
there must be some, it is not something that gets in my way).

Cheers,
Cassiano Leal


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-08-2010, 02:23 PM
Jon Dowland
 
Default LVM+RAID+CRYPT

On Fri, Jan 08, 2010 at 12:13:14PM +0100, Sjors van der Pluijm wrote:
> Hi all,
>
> I have been using Debian for a few years now. For my new workstation I want to
> try something new. What I want to do:
> 1. Make a RAID1 using two SATA discs
> 2. Create one partition on the RAID
> 3. Encrypt that partition
> 4. Use LVM on the partition
>
> I can't find very much info on this setup and have some questions:
> 1. Is this a wise setup?

Be aware that RAID-1 in itself is no substitute for a backup
system.

That said, The order should be something like

physical devices partitioned identically, with a small-ish
boot (512M usually suffices) and the remaining space
dedicated to one large partition[1].

two software RAID devices

md0 - with the two small boot partitions as backing
md1 - with the large remaining partition as backing

Stick an ext3 filesystem on top of md0 and use it as /boot.

Then, format md1 as an LVM physical volume + plumb it into
a volume group.

Carve out a logical volume for /. I wouldn't bother
encrypting this myself, personally.

Carve out a logical volume for swap. I'd encrypt this with a
random key. mkswap the resulting block device.

Carve out a logical volume for your main user's $HOME. I'd
encrypt this with a passphrase of your choosing. I'd use
the LUKS settings as your encryption parameters, via device
mapper 'dm-crypt'. Stick an ext3 filesystem on top of the
resulting block device.

So, from bottom to top, the stacking order is

physical devices
DOS-style partition tables
MD RAID
LVM
dm-loop crypto where necessary

The reason for having the /boot outside of LVM is so that
bootloaders can read it OK. In the old days, grub would
read the kernel and initrd from one of the underlying
partitions (not understanding MD RAID itself) but that
worked fine, since all writing to the partitions was done
via the OS and thus through the MD RAID layer. Modern grubs
might be able to understand MD RAID, LVM, who knows what.

I would do all of the above steps using the debian-installer
if you are installing from scratch, with the exception of
your $HOME, which I would do by hand once the system was
installed. "luksformat" with the "-t ext3" option is a
useful shortcut for formatting a LVM logical volume with
dm-crypt and sticking a filesystem on top. I'd also use
"libpam-mount" to configure it to be unlocked with your
passphrase and mounted automatically on login.

Finally, unless you specify a seperate /tmp and encrypt that
(and/or /var/tmp too), I would create a ~/tmp and ensure you
have TMPDIR pointing at it, or some apps might store some
working files in a non-encrypted location. You will find
that not all apps honour TMPDIR, so be prepared to file some
bugs )

> 3. Is it ok to have swap and /boot on an encrypted LVM?

swap yes, /boot no (your bootloader needs to read it. You
don't have anything confidential in your vmlinuz or
initramfs)

[1] For large hard drives, I create a medium-to-large
partition, rather than fill the disk. Just in case
I want to use some of the remaining space for a
non-Linux purpose. I can always create a new partition,
format it as an LVM physical volume and add it to my
existing volume group if I want the space in Linux after
all, further down the line.


--
Jon Dowland
 
Old 01-08-2010, 05:49 PM
Matthew Moore
 
Default LVM+RAID+CRYPT

On Friday January 8 2010 4:41:54 am Sjors van der Pluijm wrote:
> Just found out that /boot should not be in LVM because bootloaders might
> not understand it. /boot unencrypted does not seem to be the end of the
> world. http://tldp.org/HOWTO/LVM-HOWTO/benefitsoflvmsmall.html

Since we are being paranoid, what happens if the NSA breaks into your home
when you are asleep and installs a hypervisor on your /boot that records your
password/keyfile next time you derypt?

The way that I have heard to prevent this type of attack is to store checksums
of every file in /boot on the encrypted partition and then verify those
checksums on startup.

MM


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-08-2010, 06:38 PM
Stan Hoeppner
 
Default LVM+RAID+CRYPT

Matthew Moore put forth on 1/8/2010 12:49 PM:

> Since we are being paranoid, what happens if the NSA breaks into your home
> when you are asleep and installs a hypervisor on your /boot that records your
> password/keyfile next time you derypt?

Until now I had no reason for an IMAP folder labeled "kook". Oh, wait, that's
because these messages go in the "trash" folder.



--
Stan


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-08-2010, 06:42 PM
"Boyd Stephen Smith Jr."
 
Default LVM+RAID+CRYPT

In <4B47166D.8070401@hardwarefreak.com>, Stan Hoeppner wrote:
>Sjors van der Pluijm put forth on 1/8/2010 5:13 AM:
>> 3. Is it ok to have swap and /boot on an encrypted LVM?

Swap is okay. Boot depends on your boot loader. I don't know if grub2 can
handle this or not.

>Never run encryption on swap. Doing so merely burdens performance. I doubt
>even NSA, CIA, MI6 encrypt swap partitions on workstations.

BS. Encrypting swap is *critical*. If you do not, an attacker can use
differential cryptanalysis between what is swapped out and the cyphertext on
disk.

Before even generating the encryption keys for other devices, you should
change the mount options of your swap partition so that it is encrypted using
a random key and then remount it.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
 
Old 01-08-2010, 06:53 PM
Ross Boylan
 
Default LVM+RAID+CRYPT

On Fri, 2010-01-08 at 05:26 -0600, Stan Hoeppner wrote:
>
> Never run encryption on swap. Doing so merely burdens performance. I
> doubt
> even NSA, CIA, MI6 encrypt swap partitions on workstations.
This is completely contrary to the advice of the encryption folks. You
MUST encrypt swap in order for your system to be secure; otherwise
secrets in RAM may be recoverable from the swap partition.

The setup I've been using has 2 physical disks. Each disk has an boot
partition, a swap partition, and a big remaining partition.
I RAID (0 I think--simple mirroring--apparently anything fancier is
slower) the first and 3rd partitions.

The 3rd partition is all under LVM, and individual logical volumes
within it are encrypted (and fstab says to dynamically encrypt the
swap).

I do not RAID the swap (2nd partition), just to get more space (and
maybe it's faster).

I do encrypt the root partition, and I put encryption keys on it to
unlock the other partitions. This avoids having to enter pass-phrases
for every encrypted volume.

If you simply want to encrypt everything, it would be simpler to encrypt
the 3 partition and then run LVM on top of it, ie., bare disk : raid :
encryption: LVM physical volume : LVM logical volumes.

We have encountered one problem: when the first disk failed, we couldn't
boot off the second. I think it needs a different boot partition,
because mirroring the disk 1 paritition to disk 2 means that disk 2
still tries to boot off disk 1 when it starts.

I'm not clear if the differences are really limited the the MBR of the
disks, in which cases mirroring would still be OK. Not mirroring also
doesn't seem a great idea, since then disk 2 will get dated.

Anybody have any pointers about this?

I'm using grub, and got held up because the manual says (under the
install command)
<quote>
if REAL_CONFIG_FILE is present and STAGE2_FILE is a Stage 1.5, then
the Stage 2 CONFIG_FILE is patched with the configuration file name
REAL_CONFIG_FILE.
</quote>
This seems to say that installation modifies the stage 2 (really, 1.5)
file, which I think is in the partition, not the MBR. That implies as
soon as I boot, RAID will blow the changes away.

Ross Boylan


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-08-2010, 07:51 PM
Alex Samad
 
Default LVM+RAID+CRYPT

On Fri, Jan 08, 2010 at 03:23:13PM +0000, Jon Dowland wrote:
> On Fri, Jan 08, 2010 at 12:13:14PM +0100, Sjors van der Pluijm wrote:
> > Hi all,

Hi

I have a few laptops which I encrypt for work

> >
> > I have been using Debian for a few years now. For my new workstation I want to
> > try something new. What I want to do:
> > 1. Make a RAID1 using two SATA discs
> > 2. Create one partition on the RAID
> > 3. Encrypt that partition
> > 4. Use LVM on the partition
> >
> > I can't find very much info on this setup and have some questions:
> > 1. Is this a wise setup?
>
> Be aware that RAID-1 in itself is no substitute for a backup
> system.
>
> That said, The order should be something like
>
> physical devices partitioned identically, with a small-ish
> boot (512M usually suffices) and the remaining space
> dedicated to one large partition[1].

I like my /boot to be around 1G up to about 2G - why because it is
unencrypted you have easy access to it, so I like to have a toolkit of
stuff here to help when things go wrong and with the size of drives
today 1G is nothing big

>
> two software RAID devices
>
> md0 - with the two small boot partitions as backing
> md1 - with the large remaining partition as backing
>
> Stick an ext3 filesystem on top of md0 and use it as /boot.

Remember to grub-install (with grub2) to sda and to sdb (that should solve you failed
boot attempt when 1 drive dies), a minor thing I would use ext2, no need
for journaling, in fact most times I would say you could get away with
loading it read only

>
> Then, format md1 as an LVM physical volume + plumb it into
> a volume group.
>
> Carve out a logical volume for /. I wouldn't bother
> encrypting this myself, personally.
>
> Carve out a logical volume for swap. I'd encrypt this with a
> random key. mkswap the resulting block device.
>
> Carve out a logical volume for your main user's $HOME. I'd
> encrypt this with a passphrase of your choosing. I'd use
> the LUKS settings as your encryption parameters, via device
> mapper 'dm-crypt'. Stick an ext3 filesystem on top of the
> resulting block device.

Depending on needs and usage I would

create 1 big lvm lv use it a /root and 1 lvm lv for swap. If you think
you are going to be doing a lot of work with files locally which are
going to run into performance issues (rendering video/media) then carve
out a lvm which you will not encrypt. But the first 2 ( root & swap) I
would encrypt.

>
> So, from bottom to top, the stacking order is
>
> physical devices
> DOS-style partition tables
> MD RAID
> LVM
> dm-loop crypto where necessary
>
> The reason for having the /boot outside of LVM is so that
> bootloaders can read it OK. In the old days, grub would
> read the kernel and initrd from one of the underlying
> partitions (not understanding MD RAID itself) but that
> worked fine, since all writing to the partitions was done
> via the OS and thus through the MD RAID layer. Modern grubs
> might be able to understand MD RAID, LVM, who knows what.
>
> I would do all of the above steps using the debian-installer

I have done this with the debian installer

> if you are installing from scratch, with the exception of
> your $HOME, which I would do by hand once the system was
> installed. "luksformat" with the "-t ext3" option is a
> useful shortcut for formatting a LVM logical volume with
> dm-crypt and sticking a filesystem on top. I'd also use
> "libpam-mount" to configure it to be unlocked with your
> passphrase and mounted automatically on login.
>
> Finally, unless you specify a seperate /tmp and encrypt that
> (and/or /var/tmp too), I would create a ~/tmp and ensure you
> have TMPDIR pointing at it, or some apps might store some
> working files in a non-encrypted location. You will find
> that not all apps honour TMPDIR, so be prepared to file some
> bugs )
>
> > 3. Is it ok to have swap and /boot on an encrypted LVM?
>
> swap yes, /boot no (your bootloader needs to read it. You
> don't have anything confidential in your vmlinuz or
> initramfs)
>
> [1] For large hard drives, I create a medium-to-large
> partition, rather than fill the disk. Just in case
> I want to use some of the remaining space for a
> non-Linux purpose. I can always create a new partition,
> format it as an LVM physical volume and add it to my
> existing volume group if I want the space in Linux after
> all, further down the line.
>
>



--
"All up and down the different aspects of our society, we had meaningful discussions. Not only in the Cabinet Room, but prior to this and after this day, our secretaries, respective secretaries, will continue to interact to create the conditions necessary for prosperity to reign."

- George W. Bush
05/19/2003
Washington, DC
 
Old 01-08-2010, 08:32 PM
Stan Hoeppner
 
Default LVM+RAID+CRYPT

Ross Boylan put forth on 1/8/2010 1:53 PM:
> On Fri, 2010-01-08 at 05:26 -0600, Stan Hoeppner wrote:
>>
>> Never run encryption on swap. Doing so merely burdens performance. I
>> doubt
>> even NSA, CIA, MI6 encrypt swap partitions on workstations.

> This is completely contrary to the advice of the encryption folks.

Car salesmen want to sell you a new car too, not that you necessarily need a new
one.

> You MUST encrypt swap in order for your system to be secure; otherwise
> secrets in RAM may be recoverable from the swap partition.

*MUST*? Always be careful when stating absolutes. There is always more than
one way to skin a cat. Such as adding the following to rc.local:

/sbin/swapoff -a
/bin/dd if=/dev/zero of=/dev/sda5

changing sda5 to your swap partition device ID or filename if you're using a
swap file instead of a partition. Depending on your disk speed and swap device
size it'll add anywhere from 15 secs up to a minute or so to your shutdown time.
But your swap will be zero'd. Zeros can't be decrypted, even if a cracker
somehow got hold of the keys to the kingdom.

--
Stan


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 10:34 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org