meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux:fs:luks [2017/04/21 17:13] – [Setup /dev/sda5 as LUKS device:] niziaklinux:fs:luks [2021/02/17 08:51] (current) niziak
Line 1: Line 1:
-[[https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system|https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system]]+[[https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system|https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system|dm-crypt/Encrypting an entire system]]
  
 ====== LUKS on LVM vs LVM on LUKS ====== ====== LUKS on LVM vs LVM on LUKS ======
Line 8: Line 8:
   - good for multiuser environment   - good for multiuser environment
   - root system can be on unencrypted partition (no password to boot). The same can be achieved with LVM on LUKS on separate partition.   - root system can be on unencrypted partition (no password to boot). The same can be achieved with LVM on LUKS on separate partition.
 +  - Volumes can span on multiple drives
 +  - LVM cache is caching encrypted data (no unecnrypted data leak to cache device).
 +    - one common SSD cache device can be used if you have encrypted (data) and unecrypted (system) partitions on LVM
  
 LVM on LUKS (preffered) LVM on LUKS (preffered)
Line 15: Line 18:
   - one unlock of block device give access to all LVM volume created on it.   - one unlock of block device give access to all LVM volume created on it.
   - it is easier to change volumes sizes without touching encryption layer   - it is easier to change volumes sizes without touching encryption layer
 +  - LVM cache is caching decrypted data
 +    - workaround: encrypt also cache device, but for mixed setup (unencrypted and crypted partition) it is need to divide cache device into 2 volumes to serve unencrypted cache for system (no need to provide unlock password).
  
 ====== Performance ====== ====== Performance ======
Line 84: Line 89:
 ===== Fill with random data ===== ===== Fill with random data =====
 <code bash>badblocks -c 10240 -s -w -t random -v /dev/sda5</code> <code bash>badblocks -c 10240 -s -w -t random -v /dev/sda5</code>
-or (faster, only writes)+or (faster, only writes). Block size for dd has to be big, to avoid re-reading data from encrypted block.
 <code> <code>
 cryptsetup open --type plain /dev/sda5 tempcontainer cryptsetup open --type plain /dev/sda5 tempcontainer
-dd if=/dev/zero of=/dev/mapper/tempcontainer+dd if=/dev/zero of=/dev/mapper/tempcontainer bs=64M
 cryptsetup luksClose tempcontainer cryptsetup luksClose tempcontainer
 </code> </code>