Hi: I'll probably get a Latitude D610, and because i'll work with sensible information and because of that i was considering the encrypted filesystem option on SuSE 9.2 in case the laptop is stolen or something like that, but i'm not sure about how it works, maybe it's not practical to encrypt +/- 20GB of data and pretend to work normally with that every day, any hints? Thanks in advanced CI.-
High Ciro,
I'll probably get a Latitude D610, and because i'll work with sensible information and because of that i was considering the encrypted filesystem option on SuSE 9.2 in case the laptop is stolen or something like that, but i'm not sure about how it works, maybe it's not practical to encrypt +/- 20GB of data and pretend to work normally with that every day, any hints?
if you use SuSE it'll allow you to use an encrypted partition, at bootup you can provide the password. So while you're working everything is transparent, it'll protect your data when your shutdown notebook gets stolen. kr=
Hi, On Sat, 4 Jun 2005 09:52:23 +0200 (CEST) kris carlier <.> wrote:
High Ciro,
I'll probably get a Latitude D610, and because i'll work with sensible information and because of that i was considering the encrypted filesystem option on SuSE 9.2 in case the laptop is stolen or something like that, but i'm not sure about how it works, maybe it's not practical to encrypt +/- 20GB of data and pretend to work normally with that every day, any hints?
if you use SuSE it'll allow you to use an encrypted partition, at bootup you can provide the password. So while you're working everything is transparent, it'll protect your data when your shutdown notebook gets stolen.
100% correct. With the encrypted filesystem you can really work transparently. At bootup the password (20< chars) will be asked and in case provided, you will have the partition as in any other case. But if no password was typed in, that filesystem is (of course) not visible. You can still mount it, but there is no chance to get it up and running without the password. I use an encrypted ext3 partition in my daily work and I'm happy with it. Pelibali
pelibali wrote:
Hi,
On Sat, 4 Jun 2005 09:52:23 +0200 (CEST) kris carlier <.> wrote:
High Ciro,
I'll probably get a Latitude D610, and because i'll work with sensible information and because of that i was considering the encrypted filesystem option on SuSE 9.2 in case the laptop is stolen or something like that, but i'm not sure about how it works, maybe it's not practical to encrypt +/- 20GB of data and pretend to work normally with that every day, any hints?
if you use SuSE it'll allow you to use an encrypted partition, at bootup you can provide the password. So while you're working everything is transparent, it'll protect your data when your shutdown notebook gets stolen.
100% correct. With the encrypted filesystem you can really work transparently. At bootup the password (20< chars) will be asked and in case provided, you will have the partition as in any other case. But if no password was typed in, that filesystem is (of course) not visible. You can still mount it, but there is no chance to get it up and running without the password.
I use an encrypted ext3 partition in my daily work and I'm happy with it.
Pelibali
More precisely, the user is asked for the password at the time the partition is *mounted*. Yes, this can be at bootup but need not be. -- A lot of us are working harder than we want, at things we don't like to do. Why? ...In order to afford the sort of existence we don't care to live. -- Bradford Angier
2005/6/4, ken <gebser@speakeasy.net>:
pelibali wrote:
Hi,
On Sat, 4 Jun 2005 09:52:23 +0200 (CEST) kris carlier <.> wrote:
High Ciro,
I'll probably get a Latitude D610, and because i'll work with sensible information and because of that i was considering the encrypted filesystem option on SuSE 9.2 in case the laptop is stolen or something like that, but i'm not sure about how it works, maybe it's not practical to encrypt +/- 20GB of data and pretend to work normally with that every day, any hints?
if you use SuSE it'll allow you to use an encrypted partition, at bootup you can provide the password. So while you're working everything is transparent, it'll protect your data when your shutdown notebook gets stolen.
100% correct. With the encrypted filesystem you can really work transparently. At bootup the password (20< chars) will be asked and in case provided, you will have the partition as in any other case. But if no password was typed in, that filesystem is (of course) not visible. You can still mount it, but there is no chance to get it up and running without the password.
I use an encrypted ext3 partition in my daily work and I'm happy with it.
Pelibali
More precisely, the user is asked for the password at the time the partition is *mounted*. Yes, this can be at bootup but need not be.
-- A lot of us are working harder than we want, at things we don't like to do. Why? ...In order to afford the sort of existence we don't care to live. -- Bradford Angier
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Thanks a lot for the answers, but i'm really worried about the the performance, lets say i want to encrypt a 20Gb /home partition, i don't want to wait +15 minutes to enryption process finish every time i shutdown the laptop, is that the way it works?, or is faster?, i've never used it Ciro
Ciro, On Saturday 04 June 2005 19:35, Ciro Iriarte wrote:
...
Thanks a lot for the answers, but i'm really worried about the the performance, lets say i want to encrypt a 20Gb /home partition, i don't want to wait +15 minutes to enryption process finish every time i shutdown the laptop, is that the way it works?, or is faster?, i've never used it
The contents of the disk are not decrypted and encrypted en masse at startup and shutdown. The on-disk data is stays encrypted at all times. Only when data is read is it decrypted and data written to disk files is encrypted before being sent to the disk. Throughput to an encrypted volume will be somewhat slower than to a non-encrypted volume on an otherwise identical disk, but probably not so much as to be bothersome.
Ciro
Randall Schulz
2005/6/4, Randall R Schulz <rschulz@sonic.net>:
Ciro,
On Saturday 04 June 2005 19:35, Ciro Iriarte wrote:
...
Thanks a lot for the answers, but i'm really worried about the the performance, lets say i want to encrypt a 20Gb /home partition, i don't want to wait +15 minutes to enryption process finish every time i shutdown the laptop, is that the way it works?, or is faster?, i've never used it
The contents of the disk are not decrypted and encrypted en masse at startup and shutdown. The on-disk data is stays encrypted at all times. Only when data is read is it decrypted and data written to disk files is encrypted before being sent to the disk.
Throughput to an encrypted volume will be somewhat slower than to a non-encrypted volume on an otherwise identical disk, but probably not so much as to be bothersome.
Ciro
Randall Schulz
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Thanks a lot, i'll try it Ciro
Hello, Am Sonntag, 5. Juni 2005 06:44 schrieb Ciro Iriarte: [encrypted filesystem]
Thanks a lot, i'll try it
Some notes about security: Avoid suspend to disk - the password of the encrypted partition will be written to swap (in clear text!) - you don't need to type it at resume. (You can avoid this by umounting the encrypted partition before suspend.) Put /tmp and /var (with symlinks) onto your encrypted partition to avoid unencrypted tempfiles, MySQL databases, ... with private data [1]. Please note that you _have to_ mount the encrypted partition on boot, otherwise many applications will fail (because they cannot create tempfiles or open something in /var/.) If you are really paranoid ;-) read /usr/share/doc/howto/en/html/Encrypted-Root-Filesystem-HOWTO/ It's also possible to have encrypted swap, but I didn't test this yet ;-) (If you are interested, just ask. I'll translate the mail I've recently seen in suse-laptop.) About performance: I didn't experience a notifyable performance loss in my daily work. Maybe it's slightly different when working with really large files (like diskimages), but usually the harddisk performance (and not the CPU for encryption/decryption) is the limiting factor. Regards, Christian Boltz [1] given you encrypt /home: - /tmp can be a symlink to /home/tmp - most directories in /var can be symlinks to /home/var/$dirname (except /var/log, /var/lock and /var/run which would need more tuning ;-) This is how it looks on my system: # ls -l /tmp /var lrwxrwxrwx 1 root root 10 2005-05-06 18:55 /tmp -> /home/tmp// /var: lrwxrwxrwx 1 root root 17 2005-05-06 21:08 account -> /home/var/account/ lrwxrwxrwx 1 root root 13 2005-05-06 21:08 adm -> /home/var/adm/ lrwxrwxrwx 1 root root 15 2005-05-06 21:08 cache -> /home/var/cache/ lrwxrwxrwx 1 root root 13 2005-05-06 21:08 cvs -> /home/var/cvs/ lrwxrwxrwx 1 root root 15 2005-05-06 21:08 games -> /home/var/games/ lrwxrwxrwx 1 root root 13 2005-05-06 21:08 lib -> /home/var/lib/ drwxrwxr-t 4 root uucp 4096 2005-06-05 10:20 lock/ drwxr-xr-x 9 root root 4096 2005-06-05 10:02 log/ lrwxrwxrwx 1 root root 14 2005-05-06 21:08 mail -> /home/var/mail/ lrwxrwxrwx 1 root root 13 2005-05-06 21:08 opt -> /home/var/opt/ drwxr-xr-x 17 root root 4096 2005-06-05 10:02 run/ lrwxrwxrwx 1 root root 15 2005-05-06 21:08 spool -> /home/var/spool/ lrwxrwxrwx 1 root root 13 2005-05-06 21:08 tmp -> /home/var/tmp/ lrwxrwxrwx 1 root root 15 2005-05-06 21:08 X11R6 -> /home/var/X11R6/ lrwxrwxrwx 1 root root 12 2005-05-06 21:08 yp -> /home/var/yp/ -- Der nächste DAU kommt bestimmt. Sie werden in den Kellern von AOL gezüchtet. [Dieter Bruegmann in dag°]
Hi All.
I'll probably get a Latitude D610, and because i'll work with sensible information and because of that i was considering the encrypted filesystem option on SuSE 9.2 in case the laptop is stolen or something like that, but i'm not sure about how it works, maybe it's not practical to encrypt +/- 20GB of data and pretend to work normally with that every day, any hints?
if you use SuSE it'll allow you to use an encrypted partition, at bootup you can provide the password. So while you're working everything is transparent, it'll protect your data when your shutdown notebook gets stolen.
Which algorithms are used to encypt partition? Regards. Dominik
participants (7)
-
Christian Boltz -
Ciro Iriarte -
Dominik Składanowski -
ken -
kris carlier -
pelibali -
Randall R Schulz