Art Alexion on 9 Jan 2011 04:20:30 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Linux n00b question




On Jan 8, 2011, at 8:30 PM, Rich Freeman <r-plug@thefreemanclan.net> wrote:

> On Sat, Jan 8, 2011 at 6:08 PM, JP Vossen <jp@jpsdomain.org> wrote:
>> This is especially important
>> for whole-disk encryption, which we should all have at least on our laptops,
>> right?
>> 
> 
> I haven't messed around with full-disk encryption yet - it makes me a
> bit nervous and of course there is the need to enter a password on
> bootup unless you have some kind of TPM-based solution like ChromeOS.
> 
> One thing I have used is encrypted swap - it is pretty easy to setup
> and while it costs you CPU there is really no risk to data, since
> nothing in swap persists a reboot anyway.  Oh, this won't work if you
> suspend to swap (unless you use a fixed encryption key).  On each boot
> I generate a random encryption key, mount an encrypted loop with that
> key, and then do a swapon.  This means that random stuff that ends up
> in memory doesn't get leaked into swap (gpg keys, etc - though good
> implementations of these kinds of tools will lock this memory anyway).
> 
> As far as swap size goes - I tend to be pretty liberal with swap, but
> my use case is not typical.  I run Gentoo so it isn't unusual to be
> running Ant or building chromium/firefox/openoffice/etc which REALLY
> gobble RAM.  I also make pretty liberal use of tmpfs to speed up
> compile performance (intermediate files never touch the disk unless
> the build is large).  In theory tmpfs plus a ton of swap shouldn't be
> any worse in performance than a regular drive.  In practice I've found
> that the kernel doesn't always swap things wisely and so I do tend to
> build on actual disk for things that are literally going to use
> gigabytes of space (chromium comes to mind - largely due to Google's
> tendency to rebundle every library that is already on your PC in it
> from webkit to sqlite/etc - something Gentoo has slowly been undoing).
>  They do the same with the android SDK including a version of SWT
> that gives some people problems.
> 

I got burnt with /home encryption, and am reluctant to use it again. Of course, it was my fault, but it was an easy mistake to make. 

Ubuntu makes setting this up and using it pretty easy and transparent to the user, and that was the problem. That is, it was so transparent that I forgot it was encrypted when I did a fresh install of the OS and did nothing to preserve the keys in the process. 

Again, it was my fault, but it was one of those rare "too easy" situations. 

-- 
Art Alexion
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug