[Cryptography] Speeding up Linux disk encryption

Kent Borg kentborg at borg.org
Mon Apr 12 11:54:56 EDT 2021


There are a /whole/ lot of threats that full disk encryption does not 
address, and they need to be addressed.

But, let's imagine they have been addressed. What now? If all an 
attacker has to do is reboot from a USB stick, or read media on another 
machine, and then everything is in the clear, that seems a problem. A 
problem solved by full disk encryption. (Also, as pointed out, a nice 
way to securely erase old media: lose the key.)

Why is full disk encryption of interest to Cloud Flare? Rack mounted 
servers don't casually walk away, do they? Well, when one is dealing on 
the scale of Cloud Flare I bet they do. Maybe not stolen by an Evil 
Maid, but servers will get lost in the shuffle.


I was very intrigued by the closing paragraph in the story:

> The main patch from this blog (in a slightly updated form) has 
> beenmerged 
> <https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/md/dm-crypt.c?id=39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877>into 
> mainline Linux kernel and is available since version 5.9 and onwards. 
> The main difference is the mainline version exposes two flags instead 
> of one, which provide the ability to bypass dm-crypt workqueues for 
> reads and writes independently.

Quick check and I have a new enough kernel on this machine!


Also:

> For details, seethe official dm-crypt documentation 
> <https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html>.
Hmmm. Maybe too "detailed". I wish I had a practical how-to on how I 
could try it on my current personal machine. Dangerous stuff to figure 
out on a live machine and get wrong.

Do I possibly just add to /etc/crypttab:

     no_write_workqueue no_write_workqueue

And run "update-initramfs -u"?


-kb

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210412/986a8a0b/attachment.htm>


More information about the cryptography mailing list