[Haifux] Whole disk encryption, because it costs nothing?
Zaar Hai
haizaar at gmail.com
Mon Jan 11 23:04:53 MSK 2010
I'm encrypting both of my servers "till the last track" - i.e. every
LVM volume. Only /boot is left unencrypted. This way I do not need to
care whether I've left something uncovered. Sure there is a
performance penalty. But they run pretty smooth considering that they
are under constant heavy load (developers + NX + C++ coding). For
example, on 8GB RAM computer with QUAD Core 3.2Ghz Intel Core 2, I can
compile Firefox in 7 minutes with make -j 10.
On Mon, Jan 11, 2010 at 7:00 PM, Eli Billauer <eli at billauer.co.il> wrote:
> Hello,
>
>
> I suppose that by now some of you have realized that I'm working on
> setting up my new computer. ;)
>
>
> The new question is whether I should encrypt the whole hard disk,
> including the swap partition (minus, possibly, a read-only mounted
> /boot). Just so I don't need to worry in case my computer gets stolen
> for worth in metal one day.
>
>
> Mind you, I have a quadcore (the kernel counts 8 CPUs), and I plan on
> hardware RAID-5 (Intel P55) with three 1 TB hard disks, not yet
> implemented (when I upgrade, I upgrade). RAM sums up to 4 GB.
>
>
> So I ran a small test. /secret is an encrypted partition. My home
> directory is not. While the encrypted write ran, I had more or less one
> CPU at 100% and seven others doing nothing. The results below are
> consistent and repeatable on my computer. Reads to /dev/null take
> grossly the same time as write.
>
>
> [eli at short ~]$ time dd if=/dev/zero of=/secret/zeros.delme bs=1M count=16k
> 16384+0 records in
> 16384+0 records out
> 17179869184 bytes (17 GB) copied, 158.784 s, 108 MB/s
>
> real 2m38.822s
> user 0m0.015s
> sys 0m13.655s
> [eli at short ~]$ time dd if=/dev/zero of=zeros.delme bs=1M count=16k
> 16384+0 records in
> 16384+0 records out
> 17179869184 bytes (17 GB) copied, 228.711 s, 75.1 MB/s
>
> real 3m49.069s
> user 0m0.010s
> sys 0m25.029s
>
>
> Aha! Encryption actually speeds up the write! Well, not really, I
> suppose. Maybe it has to do with /secret being untouched until now, and
> the cleartext disk being somewhat fragmented by now.
>
>
> But this little test makes me wonder if I pay anything at all for this
> (expect for a piece of unused CPU power). If there is any reason in the
> world not to encrypt the whole chunk.
>
>
> Inputs are welcome.
>
> Eli
>
> --
> Web: http://www.billauer.co.il
>
> _______________________________________________
> Haifux mailing list
> Haifux at haifux.org
> http://hamakor.org.il/cgi-bin/mailman/listinfo/haifux
>
--
Zaar
More information about the Haifux
mailing list