# Best way to encrypt your system?

## FizzyWidget

I am looking to encrypt the gentoo part of my dual boot systems, which is the best way to do this? Truecrypt, which is already used to protect the windows partition and comes up on boot, or should i use this - http://en.gentoo-wiki.com/wiki/Root_filesystem_over_LVM2,_DM-Crypt_and_RAID ?

I dont mind having to reinstall gentoo, might do that anyway as im bored, or would people just suggest encrypting the /home dir like Ubuntu does instead of doing full system encryption?

----------

## Hu

DM-Crypt works well for this.  It is up to you whether to encrypt system directories, and depends in large part on your threat model.  If you assume that you will be aware of when an attacker gains access to the system, then encrypting the system directories is optional, but you should not trust their contents after you regain ownership of the system.  This threat model applies for laptops that might be stolen, but are otherwise safe.  If you are worried about the evil maid, encrypting all the volumes and keeping the key material on a token that remains in your possession may be a better choice.

----------

## FizzyWidget

I'm just concerned in case any of my systems ever get stolen

----------

## Hu

In that case, it is probably adequate to encrypt only the filesystems which will hold private content.  This may require encrypting / or relocating /root if you plan to store anything sensitive there.

----------

## tuber

There's also loop-aes.

----------

## FizzyWidget

 *Hu wrote:*   

> In that case, it is probably adequate to encrypt only the filesystems which will hold private content.  This may require encrypting / or relocating /root if you plan to store anything sensitive there.

 

If i encrypt / - isnt that the same as full drive encryption?

----------

## Hu

loop-aes is a poor choice.  If I recall correctly, it is said to interact poorly with journals when used with file backed loop device.  Additionally, its cipher choices are less flexible than DM-Crypt.

No, encrypting / is not the same as full drive encryption.  There are also swap, /home, /usr, and /var to consider.

[Edit: added italicized portion in response to correction from tuber.  I had not researched the details, and knew only that it was said to be unsafe in some cases.]Last edited by Hu on Sun Jul 18, 2010 7:16 pm; edited 2 times in total

----------

## FizzyWidget

have decided to use truecrypt and encrypt /home only - tried a few other ways earlier and it all went mad  :Sad:  how big should i make /var and /log? first to be done will be laptop and after i give 80GB to windows i will have 150GB to spare, norm a do

boot - 100M

swap - 4GB

/ - 15G

home - rest

when i used FreeBSD i used 4GB for var and log, think 4GB might be overkill for /log

----------

## tuber

 *Hu wrote:*   

> loop-aes is a poor choice.  If I recall correctly, it is said to interact poorly with journals.  Additionally, its cipher choices are less flexible than DM-Crypt.
> 
> 

 

Do you mean there is a performance problem or a data integrity problem? The latter is true for a file-backed loop device, but not true for device-backed loop device.

----------

## Hu

 *tuber wrote:*   

>  *Hu wrote:*   loop-aes is a poor choice.  If I recall correctly, it is said to interact poorly with journals.  Additionally, its cipher choices are less flexible than DM-Crypt. Do you mean there is a performance problem or a data integrity problem? The latter is true for a file-backed loop device, but not true for device-backed loop device.

 I had heard of data integrity problems.  I was repeating imprecise information from elsewhere, and have now amended my post with the clarification you supplied.  Thanks.

----------

## chithanh

Using dm-crypt (luks) is probably the method of choice nowadays. You can encrypt a whole system except for /boot. A luks capable initramfs can be created easily with genkernel (leave out modules and it works with non-genkernel kernels too).

If you only encrypt /home, be aware that password hashes and other interesting data may be stored in /etc/shadow, /var/* and so on.

----------

## mv

 *tuber wrote:*   

> Do you mean there is a performance problem or a data integrity problem? The latter is true for a file-backed loop device, but not true for device-backed loop device.

 

Well, it is also true for a device-backed loop device. For example, AFAIK write errors are not necessarily correctly reported through. Moreover, there is the problem that barriers are not available. However, the latter holds also for dm-crypt, i.e. journaling will be somewhat less secure (in the sense of data integrity) with encryption than without encryption, no matter which method you choose.

----------

