[AktiviX-discuss] Setting up a server with encrypted partitions and swap

Charlie Harvey charlie at peopleandplanet.org
Tue Oct 3 10:27:22 UTC 2006

> Hi,
> I'm setting up a machine and want it to have encrypted partitions and swap.
> It running debian stable -  and I'd prefer to stick with that rather than
> compile custom kernels and cryptotools, though if there is a compelling reason
> not to I'd certainly listen.
> I found this article http://www.shimari.com/dm-crypt-on-raid/  ( which seems
> quite recent )and have followed it pretty closely. ( Not exactly as my needs
> are not quite the same. )
> The server is only a single PIII 1Ghz with 1.5GB RAM - so its not the hottest
> thing on the block.
> Does anybody have any comments on the choice of algorithms and toold ( DM-Crypt
> and twofish ).  I am a complete newb on these things.

Well, sounds like your setup would be able to handle most of the
algorithims available. The tradeoff will be in access time v's security.
AFAIK AES hasn't been properly compromised although there is an attack
methodology, so you'd probably want to use AES256. twofish is arguably
more secure, but newer, so maybe attacks just haven't been found yet -
its based on schnieir's work on blowfish (which in its 1995 form was
found to have weak keys) and serpent is also v.secure but probably a
little slower. Personally I'd use twofish. 

On modern hardware once the crypted fs has been created (which may 
be slow depending on size of partition - have a cup of tea whilst this
happens!) the main latency point will be access to large files
(multimedia, et al). If you're going to be mainly just running a
web/mail server on it I'd guess that network latency would be more of a
bottleneck than file access. 


Charlie Harvey  | perl -e '($I[say]x3);my $dog-="nose";
People & Planet |   qw?how does he smell?;++$terrible;'

