Locked
lowfat
Posts: 11
Joined: Tue Sep 24, 2019 7:22 pm

Encrypted drives

Sat Sep 28, 2019 12:07 pm

Hi all,
Debian supports encrypted file systems such as the root file system but does Raspbian include that functionality?
What about encrypted thumb drives?
Thanks.
User avatar
DougieLawson
Posts: 42216
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK

Re: Encrypted drives

Sat Sep 28, 2019 12:10 pm

It is possible to install luks on a Raspberry, but there's no permanent BIOS NVRAM in which to store a key.
Languages using left-hand whitespace for syntax are ridiculous

DMs sent on https://twitter.com/DougieLawson or LinkedIn will be answered next month.
Fake doctors - are all on my foes list.

The use of crystal balls and mind reading is prohibited.
Kendek
Posts: 296
Joined: Thu Jul 25, 2019 4:39 pm
Location: Kaposvár, Hungary

Re: Encrypted drives

Sat Sep 28, 2019 12:55 pm

The RPi4 doesn't have hardware-accelerated AES support, so the encryption is not very fast. The Google Adiantum performs better if you want an encrypted partition with LUKS.

Code: Select all

cryptsetup luksFormat --type=luks2 --sector-size=4096 -c xchacha12,aes-adiantum-plain64 -s 256 -h sha512 --use-urandom /dev/sdXN

Code: Select all

> cryptsetup benchmark
#     Algorithm |       Key |      Encryption |      Decryption
        aes-cbc        128b        25,1 MiB/s        83,3 MiB/s
        aes-cbc        256b        18,3 MiB/s        63,5 MiB/s
        aes-xts        256b        92,3 MiB/s        81,8 MiB/s
        aes-xts        512b        71,3 MiB/s        62,0 MiB/s

> cryptsetup benchmark -c xchacha12,aes-adiantum
#            Algorithm |       Key |      Encryption |      Decryption
xchacha12,aes-adiantum        256b       224,2 MiB/s       225,0 MiB/s

> cryptsetup benchmark -c xchacha20,aes-adiantum
#            Algorithm |       Key |      Encryption |      Decryption
xchacha20,aes-adiantum        256b       185,2 MiB/s       185,8 MiB/s
My setup:

Code: Select all

> lsb_release -a
Distributor ID:	Ubuntu
Description:	Ubuntu Eoan Ermine (development branch)
Release:	19.10
Codename:	eoan

> uname -a
Linux RPI4 5.3.0-v8 #1 SMP PREEMPT Sat Sep 28 11:56:55 CEST 2019 aarch64 aarch64 aarch64 GNU/Linux
lowfat
Posts: 11
Joined: Tue Sep 24, 2019 7:22 pm

Re: Encrypted drives

Sat Sep 28, 2019 5:40 pm

DougieLawson wrote:
Sat Sep 28, 2019 12:10 pm
 It is possible to install luks on a Raspberry, but there's no permanent BIOS NVRAM in which to store a key.
I'm OK with entering the password at boot-up if the bootloader supports that.
Kendek
Posts: 296
Joined: Thu Jul 25, 2019 4:39 pm
Location: Kaposvár, Hungary

Re: Encrypted drives

Sat Sep 28, 2019 6:05 pm

lowfat wrote:
Sat Sep 28, 2019 5:40 pm
 I'm OK with entering the password at boot-up if the bootloader supports that.
You will need initramfs if you want to encrypt the system partition.
rpi4a
Posts: 1
Joined: Sun Jan 05, 2020 5:58 pm

Re: Encrypted drives

Sun Jan 05, 2020 6:05 pm

Kendek wrote:
Sat Sep 28, 2019 12:55 pm

Code: Select all

> cryptsetup benchmark
#     Algorithm |       Key |      Encryption |      Decryption
        aes-cbc        128b        25,1 MiB/s        83,3 MiB/s
        aes-cbc        256b        18,3 MiB/s        63,5 MiB/s
        aes-xts        256b        92,3 MiB/s        81,8 MiB/s
        aes-xts        512b        71,3 MiB/s        62,0 MiB/s
Not bad! I have a Pentium T4300 that runs at 2.1GHz but is only about 10% faster than this.

However my Core i5 2.7 GHz is over 20 times faster:

Code: Select all

        aes-cbc        128b       585.3 MiB/s      2366.0 MiB/s
        aes-cbc        256b       433.8 MiB/s      1855.9 MiB/s
        aes-xts        256b      1589.4 MiB/s      1593.7 MiB/s
        aes-xts        512b      1294.7 MiB/s      1293.2 MiB/s
Locked

Return to “General discussion”