[Cryptography] Speeding up Linux disk encryption
Kent Borg
kentborg at borg.org
Mon Apr 12 11:54:56 EDT 2021
There are a /whole/ lot of threats that full disk encryption does not
address, and they need to be addressed.
But, let's imagine they have been addressed. What now? If all an
attacker has to do is reboot from a USB stick, or read media on another
machine, and then everything is in the clear, that seems a problem. A
problem solved by full disk encryption. (Also, as pointed out, a nice
way to securely erase old media: lose the key.)
Why is full disk encryption of interest to Cloud Flare? Rack mounted
servers don't casually walk away, do they? Well, when one is dealing on
the scale of Cloud Flare I bet they do. Maybe not stolen by an Evil
Maid, but servers will get lost in the shuffle.
I was very intrigued by the closing paragraph in the story:
> The main patch from this blog (in a slightly updated form) has
> beenmerged
> <https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/md/dm-crypt.c?id=39d42fa96ba1b7d2544db3f8ed5da8fb0d5cb877>into
> mainline Linux kernel and is available since version 5.9 and onwards.
> The main difference is the mainline version exposes two flags instead
> of one, which provide the ability to bypass dm-crypt workqueues for
> reads and writes independently.
Quick check and I have a new enough kernel on this machine!
Also:
> For details, seethe official dm-crypt documentation
> <https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html>.
Hmmm. Maybe too "detailed". I wish I had a practical how-to on how I
could try it on my current personal machine. Dangerous stuff to figure
out on a live machine and get wrong.
Do I possibly just add to /etc/crypttab:
no_write_workqueue no_write_workqueue
And run "update-initramfs -u"?
-kb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210412/986a8a0b/attachment.htm>
More information about the cryptography
mailing list