retrofitting LUKS encryption on installed system
Bill Davidsen
davidsen at tmr.com
Sat Jun 29 20:23:53 UTC 2013
Mateusz Marzantowicz wrote:
> On 28.06.2013 17:21, J.Witvliet at mindef.nl wrote:
>> It surely works, but at a performance price. And the certainty that you have to enter the LUKS-key each time you boot.
>
> Intel Sandy/Ivy Bridge processors and later (AMD also) have something
> called AES-NI which significantly speeds up disk encryption. I haven't
> done any benchmarks but I see no difference between encrypted and plain
> LVM in everyday use.
>
I just discovered that KVM doesn't seem to pass that flag on to virtual
machines, which seems like serious suckage. May be a hardware thing, of course.
> User can unlock LUKS volume using key on SD card or any other media that
> can be mounted during system boot. So no passphrase is needed every time
> system is rebooted.
>
Leaving the card in the machine kind of defeats the purpose, doesn't it?
And adds to the possibility of forgetting to remove the card when you walk away.
Security and convenience are to some extent mutually exclusive.
>
> Mateusz Marzantowicz
>
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the users
mailing list