# Which crypt algorithm?

## gir1dhar

Hello,

	I've just finished installing gentoo on my netbook.  Most of it is done. And now I'm focusing on the finishing touches.

	Since it is a netbook, and I take it everywhere I decided to encrypt the partition for the home folder.  I've read http://en.gentoo-wiki.com/wiki/SECURITY_System_Encryption_DM-Crypt_with_LUKS, and I managed to set my encrypted partition.  But I've found that the suggested algorithms are too "heavy" for my little netbook.

	First, why do I need to encrypt my home folder?  As I said before I'm taking my netbook everywhere, and in the case of being stolen I don't want to have all my passwords and data easily read by anyone.  But I don't want to set up a super strong security system that slows my computer to a crawl and makes it unusable.

	My encryption scheme must be fast and simple, it should be easier to format the drive in case of loss than reading the info.  I know that I will be screwed if it falls in the right hands and I'm ok with it.

I want to know which are the fastest crypt/digest algorithms, and setups?

My netbook is a toshiba nb205-210, Intel Atom 280 1Gb RAM 160Gb HD.

I encrypted swap.  Instead of the recommended 

```
cryptsetup -c blowfish -h sha256 -d /dev/urandom create swap /dev/sda2 
```

I'm using 

```
cryptsetup -c aes -h sha1 -d /dev/urandom create swap /dev/sda2
```

For the home partition, instead of 

```
cryptsetup -y --cipher serpent-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda3 
```

I'm using 

```
cryptsetup -y --cipher blowfish-cbc-plain:sha1 --key-size 32 luksFormat /dev/sda3
```

The performance improved a lot.  Is this ok? Any suggestions? Ideas?

	Best Regards

	gir1dhar

----------

## Roman_Gruber

Well what you like you can do.

There are always draw backs.

I use aes encryption because its the fastest.

----------

## Veldrin

As tw04l124 already said, it depends on what you want or need.

I would go with one of the AES finalists: Rijndael (AES), Twofish or Serpent. (Don't use Blowfish, I has been superseeded by twofish)

There respective "features" are

Twofish - Speed, thus less secure

Serpent - Security, thus slower

Rijndael (AES) - compromise between speed and security

While the swap config seems fine, you should really use the recommended settings for the home partition: Blowfish is deprecated, SHA1 has been broken (cryptographically and should be phased out) and a short key means less security.

If you care about speed, go with twofish.

```
cryptsetup -y --cipher twofish-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda3 
```

or if you are really paranoid, use even longer keys and hash sizes (no guaranty for the exact spelling)

```
cryptsetup -y --cipher serpent-cbc-essiv:sha512 --key-size 512 luksFormat /dev/sda3 
```

just my .02$

V.

----------

## gir1dhar

Thanks for replying!

tw04l124

 *Quote:*   

> I use aes encryption because its the fastest.

 

how do you set it up?

 *Quote:*   

> While the swap config seems fine, you should really use the recommended settings for the home partition: Blowfish is deprecated, SHA1 has been broken (cryptographically and should be phased out) and a short key means less security. 
> 
> If you care about speed, go with twofish. 
> 
> Code:
> ...

 

One question... a larger hash means more processing needed?

I'm not paranoid, I just don't want all my data in plain sight if my netbook gets lost or stolen. I don't care if the key can be broken by brute force in 2 days.  Let's face it, most people don't even know that there's life beyond windoze.  That's why I'm favoring speed over security, any encryption, as minimal as it may be, is incredibly complex for the mean user. Still, even geeks don't know what to do in case of an encrypted partition.  If I find a disk that is encrypted, I test a couple passwords.  If I get lucky I look around, and if I don't I format and reinstall  :Very Happy: 

It's very hard to find someone with the motivation, skills, and cpu available to perform a full scale attack on an encrypted disk. 

Best Regards

----------

## rufnut

 *gir1dhar wrote:*   

> 
> 
> how do you set it up?
> 
> Best Regards

 

I tried this on a netbook:

http://en.gentoo-wiki.com/wiki/Booting_encrypted_system_from_USB_stick

There are plenty of wiki around.

With aes-plain-text I lost about 1/3 raw disk speed according to hdparm but I don't really notice.

Would be nice to have AES hardware such as VIA or Intel late cpu.

 :Smile: 

----------

## Roman_Gruber

In short:

My way was this:

First to install a full runing arch-linux installation

secure wipe partitions 4 or 5 times, I think

making lvm volumes

doing on top luks encrypted volume 

make mountpoint in arch linux and mounting encrypted volume there.

chroot into enrypted disc partition and begin gentoo installation while having a working arch linux for using browsers, games, and so on

the kernel part is tricky but quite simple, emerge genkernel

make your kernel

then let genkernel only make initrd image and put this image on boot finished

For the details, sorry, but using lvm and so on, I did read a lot of documentations and it took me really 3 weeks to get this setup up and running. Thats why I installed arch to have a working computer in the meantime

I know netbooks dont have cdroms, most of them, so using a usb boot flash disc may be enough.

The only way is to understand the things people want to tell about their installation guides

genkernel helps you a lot, because the initrd image,  which is needed for booting can be a pain in the ass, so let genkernel let do the work for you. 

If you ask me make a huge boot partitions,  huge means for me 512 mb. If you want to boot from usb flash disc, I encourage you to have 3 usb flash discs of different types, because the fail easily and then you really have a problem booting your system.

----------

