Rich Freeman on 8 Jan 2011 17:30:23 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Linux n00b question


On Sat, Jan 8, 2011 at 6:08 PM, JP Vossen <jp@jpsdomain.org> wrote:
> This is especially important
> for whole-disk encryption, which we should all have at least on our laptops,
> right?
>

I haven't messed around with full-disk encryption yet - it makes me a
bit nervous and of course there is the need to enter a password on
bootup unless you have some kind of TPM-based solution like ChromeOS.

One thing I have used is encrypted swap - it is pretty easy to setup
and while it costs you CPU there is really no risk to data, since
nothing in swap persists a reboot anyway.  Oh, this won't work if you
suspend to swap (unless you use a fixed encryption key).  On each boot
I generate a random encryption key, mount an encrypted loop with that
key, and then do a swapon.  This means that random stuff that ends up
in memory doesn't get leaked into swap (gpg keys, etc - though good
implementations of these kinds of tools will lock this memory anyway).

As far as swap size goes - I tend to be pretty liberal with swap, but
my use case is not typical.  I run Gentoo so it isn't unusual to be
running Ant or building chromium/firefox/openoffice/etc which REALLY
gobble RAM.  I also make pretty liberal use of tmpfs to speed up
compile performance (intermediate files never touch the disk unless
the build is large).  In theory tmpfs plus a ton of swap shouldn't be
any worse in performance than a regular drive.  In practice I've found
that the kernel doesn't always swap things wisely and so I do tend to
build on actual disk for things that are literally going to use
gigabytes of space (chromium comes to mind - largely due to Google's
tendency to rebundle every library that is already on your PC in it
from webkit to sqlite/etc - something Gentoo has slowly been undoing).
  They do the same with the android SDK including a version of SWT
that gives some people problems.

Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug