[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Crypted filesystem



On Thursday, 8. January 2004 12:03, Philippe Vogel wrote:
> The original bootloader (grub) is replaced by the security driver and I had
> to use W2K bootloader instead.

Huh? I'm running a SuSE 8.2 with an encrypted files system myself (standard 
SuSE encryption stuff) and I am using grub just like I would without the 
encrypted stuff. I also got windows working on that system. It's hardly any 
work to set this up.


> http://portal.suse.com/sdb/de/1997/06/nt.html

According to the URL and the OS versions mentionned there I'd say this one is 
from 1997 and ABSOLUTELY outdated. Reading this article has more to do with 
archeology than anything else.

Here is what you do in SuSE 8.2: Start Yast2, select "System", then choose 
"partitioning". When you create/change a partition in the partition manager 
simply choose the "encrypt" option. I guess you will figure out the rest.


> I want to crypt a filesystem on another machine (dual PII 350/512MB ram)
> with lvm and don't want to have performanceloss because of /dev/loop. I
> first tested this with cryptofs provided by SuSE but I had a great
> performanceloss as you can see here:
>
> with cryptofs max. 2MB/s over samba
> w/o cryptofs max. 6-9 MB/s over samba

Have a look at
http://lists.gnupg.org/pipermail/gnupg-devel/2000-October/016678.html
(note that they give you mega BITs per second, not bytes). For a machine 
comparable to yours you would probably get 30Mbit/s or around 3.75MB/s. 
Taking into consideration that your system also has other things to do you 
won't get much more than your 2MB/s, simply because your CPU is not fast 
enough.
This is assuming en/decryption will only use one CPU for a given read 
request. _Maybe_ if you send Samba 2 read requests in parallel, it will send 
the OS two read requests that will be processed by both CPUs, thus doubling 
the decryption speed.

Another solution could be to look for other, more detailed benchmarks and 
choose a faster algorithm and a shorter keylength. But Yast2 will not let you 
do this so easily.

MfG
Stefan Nordhausen


-- 
Denn der Menschheit drohen Kriege, gegen welche die vergangenen wie armselige 
Versuche sind, und sie werden kommen ohne jeden Zweifel, wenn denen, die sie 
in aller Öffentlichkeit vorbereiten, nicht die Hände zerschlagen werden.
Bertolt Brecht, 1952

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here