Sunday, October 05, 2008

Mostly-encrypted root

Since F9, the default layout for "encrypted root" has been:

sda1 -- unencrypted "/boot"
sda2 -- encrypted LVM PV, containing "/" and swap partitions

This is a very secure configuration, but it is a huge overkill for most users. A significant chunk of read access happens when applications are started. With the above configuration, when you start Open Office, a large chunk of processing power will be dedicated to decrypting the massive Open Office binaries.

For a while, I have been using the following configuration instead:

sda1 -- unencrypted "/boot"
sda2 -- unencrypted "/usr"
sda3 -- encrypted LVM PV, containing "/", "/home" and swap partitions

The bulk of application data such as binaries, icons, and help files is located in /usr -- thus, creating a separate unencrypted partition for them will save you a lot of cycles and should speed up application startup. The only reason you would want to encrypt all of your application binaries is if you are worried that some of the applications you are using would be considered illegal in your particular country. For example, if you install dvd-ccs decryption packages, or patented codecs from the repository-that-must-not-be-named and are worried that it may be held against you, you should keep your /usr encrypted (and I have an assortment of fine tinfoil hats to sell you).

But if you are like me, you are probably not worried about that and care more about not wasting your processor cycles needlessly. Creating a separate unencrypted "/usr" for non-private data should help speed things up, and is not that complicated.


Jeremy said...

The problem then is doing the overly-complicated balancing act of space between partitions. It's not something that's easy to determine for most users a-priori and it's not something that's easy to change after the fact.

Unknown said...

Oh, I fully agree that the default should stay the way it is for simplicity's sake. I was just sharing my experiences with fellow "power-users." :)

Anonymous said...

Wouldn't that give apps underneath your now non-protected /usr partition access to your encrypted partition?

Unknown said...

Okay, I'll give you that. If someone is able to mount your unencrypted /usr in order to trojan a binary, then next time you boot and mount the rest of your partitions, the trojaned binary will be able to read your private data.

However, this is kind of a moot point anyway -- /boot must remain unencrypted in order to, well, boot. It would take more skill, but one could put in a poisoned vmlinuz or initrd.img that would sniff your LUKS password and send it to the attacker.

I'm not sure there is much one can do against this attack, short of always booting from a trusted and verified-before-each-boot medium.