Few questions from a new user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am new to disk encryption and I have been reading on it for the last days, but I am still confused on some points. I would appreciate if someone knowledgeable could clue me in.
1. Is SHA1 just as secure for this purpose as SHA512? After reading cryptsetup docs I have a feeling that yes, but I get conflicting opinions from various people, so I thought it's best ask at the source.
Also, does the hash used have any impact on performance of disk access/read/write once the system is booted? Again, I suppose not, but better to make sure, especially since my laptop is not a powerhouse.
2. The more I read, the more I am confused about the algorythms. Everything I read says that AES is the fastest, and Serpent is the slowest. But not according to my laptop: 

$ cryptsetup benchmark
Tests are approximate using memory only (no storage IO).
PBKDF2-sha1       344926 iterations per second
PBKDF2-sha256     198593 iterations per second
PBKDF2-sha512     129007 iterations per second
PBKDF2-ripemd160  271933 iterations per second
PBKDF2-whirlpool  134295 iterations per second
#  Algorithm | Key |  Encryption |  Decryption
     aes-cbc   128b   149.8 MiB/s   147.9 MiB/s
 serpent-cbc   128b    51.0 MiB/s   196.4 MiB/s
 twofish-cbc   128b   127.6 MiB/s   152.5 MiB/s
     aes-cbc   256b   114.3 MiB/s   113.8 MiB/s
 serpent-cbc   256b    51.2 MiB/s   198.9 MiB/s
 twofish-cbc   256b   129.8 MiB/s   167.5 MiB/s
     aes-xts   256b   153.3 MiB/s   150.6 MiB/s
 serpent-xts   256b   176.4 MiB/s   184.1 MiB/s
 twofish-xts   256b   160.8 MiB/s   159.8 MiB/s
     aes-xts   512b   115.4 MiB/s   112.1 MiB/s
 serpent-xts   512b   178.6 MiB/s   184.2 MiB/s
 twofish-xts   512b   160.7 MiB/s   158.9 MiB/s
I suppose this is because it has no AES-IN optimisation (it is one of the last Core 2 Duo P9500), but still Serpent beats the others by quite a margin. Plus, on top of that, it seems to be the fastest with the most complex key. I thought it should be the other way around...? 

So should I go ahead and use  serpent-xts   512b, or is there a catch?
3. I would like to do full disk encryption, and would like to have those methods of unlocking upon boot: 
A - my short but complex password
B - long but easy-to-dictate password that I would give to people who need to access my laptop when I'm not there, without compromising my own password C - if a USB key with key file is present, I want the computer to not as for the password upon boot
Are all three possible with dm-crypt+LUKS? And if so, do I have to set them all up while I enctypt my disks, or can B and/or C be done afterwards? 
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux