« Back to the Bosque | Main | Diverging From Upstream »

Encrypted Root Filesystem Revisited

The hard disk on my notebook computer developed a number of bad sectors so I replaced it with a new 7200rpm 100GB drive. I've discussed my experience and gave details about using an encrypted root and LVM filesystem using the Linux 2.6 device mapper.

While I found the disk speed acceptable using the encrypted filesystem, I did note that it was subjectively slower than using an unencrypted filesystem. This time, I used the bonnie++ disk benchmark to test the new disk.

Raw disk benchmark 

       ------Sequential Output------ --Sequential Input- --Random-
        -Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
  Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP  /sec %CP
    4G 30299  98 47348  13 20552   6 29947  91 44758   5 137.3   0
       ------Sequential Create------ --------Random Create--------
        -Create-- --Read--- -Delete-- -Create-- --Read--- -Delete--
  files  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP
     16  3545  21 +++++ +++  3863  42  3350  20 +++++ +++   867   6

Encrypted disk benchmark 

       ------Sequential Output------ --Sequential Input- --Random-
        -Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
   Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP  /sec %CP
     4G 18861  60 40812   9 10534   2 18530  58 30641   4 143.6   0
       ------Sequential Create------ --------Random Create--------
        -Create-- --Read--- -Delete-- -Create-- --Read--- -Delete--
  files  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP
     16  3150  87 +++++ +++  3510  92  2919  86 +++++ +++   900  35

While there is an overhead using the encrypted file system (which is likely magnified by using a 4-year old CPU, a 2GHz Pentium 4-M), the overall speed with the 7200rpm drive is acceptable and will be a boost compared to the old 5400rpm drive.

While my notebook previously ran Debian Sarge, I thought I'd try something slightly different, the Debian offshoot Ubuntu Breezy. I found a few issues that had to be resolved to use the encrypted filesystems.

  • Patching /usr/sbin/mkinitrd
    mkinitrd had the wrong devmapper library version. I had to change line 385 from /lib/libdevmapper.so.1.00 to /lib/libdevmapper.so.1.01.
  • Add modules to /etc/mkinitrd/modules
    I added aes_i586, dm_crypt, and dm_mod to /etc/mkinitrd/modules.
  • Modifying /etc/lvm/lvm.conf
    I use an encrypted physicial LVM partition to host my logical volumes. That way, I only have to encrypt the LVM physical partition. Subsequently when booting and decrypting the filesystem, I only have to give once the key to the physical volume and all of the logical volumes created in that partition will be decrypted. This requires some editing of lvm.conf to recognize the encrypted physical volume. I named the LVM physicial volume pv and then added /dev/mapper/pv to the filter specification in the devices section. Also, LVM has to be notified of the device mapper type, so the line types=["device-mapper",16] must be added to the devices section.
  • Change the startup script order
    The script order in /etc/rcS.d/ needs to be changed so that cryptdisks is executed before lvm. This is required so that the lvm script will have access to the unencrypted physicial volume. This is simply done by renaming S28cryptdisks to S25cryptdisks which places it before the lvm script S26lvm.

After those bits of additional configuration, the encrypted root filesystem and encrypted LVM physical volume is working very well. Additionally, I'm using an encrypted swap partition, but there was no additional configuration required beyond what I previously described.

Posted by kevin on February 2, 2006 8:27 AM |

Comments (2)

mick:

>(which is likely magnified by using a 4-year old CPU, a 2GHz Pentium 4-M),

Is this a typo? A 2Ghz P-M is still almost a top of the line laptop processor (until the dual-cores are widely available). Plus, many benchmarks have shown that the P-M's perform nearly as well as P4's with higher clock ratings.

Of course I can't find any of the benchmarks that I remember reading. :( But here's one displaying the PM vs the new PM Dual Core and AMD's dual cores:
http://www.anandtech.com/cpuchipsets/showdoc.aspx?i=2648&p=11

Of course the PM don't stand a chance against AMD's regular dual cores, but it's still a decent processor for laptop usage. If speed is of upmost importance, you would probably get better performance if you didn't encrypt the whole filesystem, but instead created a loopback filesystem for storing content you want protected? Any thoughts on what the average CPU overhead is? I might be tempted to encrypt my /home on my 1.6Ghz PM laptop after reading about your experiences.

I presume DMA, multi sector I/O .... enabled?

Getting errors messages when I try and post this message?

Posted by mick | February 2, 2006 10:15 AM

Posted on February 2, 2006 10:15

foo:

p4m != pm

Posted by foo | February 28, 2006 3:08 PM

Posted on February 28, 2006 15:08

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on February 2, 2006 8:27 AM.

The previous post in this blog was Back to the Bosque.

The next post in this blog is Diverging From Upstream.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by
Movable Type Publishing Platform 4.01rc1