Best way to encrypt my system on an ssd
I consider to buy an ssd for my laptop (something like Samsung 830 or 840) to make the system more responsive. I want my system (at least my home partition) to be encrypted. However I know about rumors that there may be problems with encryption on ssd's and although that statements about this change very fast with time. Especially I don't want to have a big performance drop (as said above, I want the ssd to make the system significantly more responsive) and I don't want to shorten the lifetime of my ssd.
Having this in mind, what is the best way to encrypt the system on an ssd?
You can assume that the ssd will be a samsung 830, 840 or 840 pro if this matters.
Edit
My CPU is a pretty old Core2 Duo P8700 with 2,53 GHz without AES-NI and I have only SATA II. So I want to add the question: Does it make sense at all to upgrade say to a Samsung 830 and use dm-crypt/luks or ecryptfs? Or does the CPU and SATA port slow down the SSD too much? I don't want to win any benchmark contest, just want to have an clear improvement in my system responsiveness.
I am not sure if the following is a good indicator about how fast the system will be, so it would be great if someone could comment it:
Currently I am using ecryptfs to encrypt my home partition.
An
LC_ALL=C dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc
on my encrypted home partition gives:
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 56.4674 s, 19.0 MB/s
and the CPU is working between 40 and 60%.
The same on an unencrypted partition gives
LC_ALL=C dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 29.6554 s, 36.2 MB/s
and the CPU is working between 0 and 20%.
My /tmp
folder is mounted via tempfs
i.e. it lies in RAM. Doing the same in /tmp
gives:
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 0.941708 s, 1.1 GB/s
Then I created a new ecryptfs
directory below /tmp
and did it there again.
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 10.1884 s, 105 MB/s
and one core working at 100% the other at 20%.
The creation of the ecryptfs dir was as follows:
sudo mount -t ecryptfs /tmp/encrypted/ /tmp/decrypted
As options I choosed the default ones (ubuntu-system): AES, 16 bit, no plaintext passthrough, no filename encryption.
Considering this result I would expect that the writing rate will increase from 19.0 MB/s to 105 MB/s when replacing my old WD-scorpion black 7200 with a Samsung 830 SSD and using ecryptfs. Which seems to be a clear performance improvement. I guess that dm-crypt will even be a bit faster.
Any suggestions to make more reliable tests which will predict if the SSD will bring a clear performance boost.
Edit 2
Here is a similar test in a German debian wiki using dm-crypt:
http://wiki.debianforum.de/Benchmark_f%C3%BCr_Festplattenverschl%C3%BCsselung
I did that and got ~95 MB/s.
security hardware performance encryption ssd
add a comment |
I consider to buy an ssd for my laptop (something like Samsung 830 or 840) to make the system more responsive. I want my system (at least my home partition) to be encrypted. However I know about rumors that there may be problems with encryption on ssd's and although that statements about this change very fast with time. Especially I don't want to have a big performance drop (as said above, I want the ssd to make the system significantly more responsive) and I don't want to shorten the lifetime of my ssd.
Having this in mind, what is the best way to encrypt the system on an ssd?
You can assume that the ssd will be a samsung 830, 840 or 840 pro if this matters.
Edit
My CPU is a pretty old Core2 Duo P8700 with 2,53 GHz without AES-NI and I have only SATA II. So I want to add the question: Does it make sense at all to upgrade say to a Samsung 830 and use dm-crypt/luks or ecryptfs? Or does the CPU and SATA port slow down the SSD too much? I don't want to win any benchmark contest, just want to have an clear improvement in my system responsiveness.
I am not sure if the following is a good indicator about how fast the system will be, so it would be great if someone could comment it:
Currently I am using ecryptfs to encrypt my home partition.
An
LC_ALL=C dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc
on my encrypted home partition gives:
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 56.4674 s, 19.0 MB/s
and the CPU is working between 40 and 60%.
The same on an unencrypted partition gives
LC_ALL=C dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 29.6554 s, 36.2 MB/s
and the CPU is working between 0 and 20%.
My /tmp
folder is mounted via tempfs
i.e. it lies in RAM. Doing the same in /tmp
gives:
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 0.941708 s, 1.1 GB/s
Then I created a new ecryptfs
directory below /tmp
and did it there again.
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 10.1884 s, 105 MB/s
and one core working at 100% the other at 20%.
The creation of the ecryptfs dir was as follows:
sudo mount -t ecryptfs /tmp/encrypted/ /tmp/decrypted
As options I choosed the default ones (ubuntu-system): AES, 16 bit, no plaintext passthrough, no filename encryption.
Considering this result I would expect that the writing rate will increase from 19.0 MB/s to 105 MB/s when replacing my old WD-scorpion black 7200 with a Samsung 830 SSD and using ecryptfs. Which seems to be a clear performance improvement. I guess that dm-crypt will even be a bit faster.
Any suggestions to make more reliable tests which will predict if the SSD will bring a clear performance boost.
Edit 2
Here is a similar test in a German debian wiki using dm-crypt:
http://wiki.debianforum.de/Benchmark_f%C3%BCr_Festplattenverschl%C3%BCsselung
I did that and got ~95 MB/s.
security hardware performance encryption ssd
If you have AES-NI, cryptsetup/LUKS works fine (using one of the AES ciphers). Without AES-NI, you will see a performance penalty when reading/writing.cat /proc/cpuinfo
to check.
– frostschutz
Apr 9 '13 at 18:41
It seems I don't have AES-NI, it's a Core 2 Duo CPU P8700, 2.53GHz
– student
Apr 10 '13 at 15:44
add a comment |
I consider to buy an ssd for my laptop (something like Samsung 830 or 840) to make the system more responsive. I want my system (at least my home partition) to be encrypted. However I know about rumors that there may be problems with encryption on ssd's and although that statements about this change very fast with time. Especially I don't want to have a big performance drop (as said above, I want the ssd to make the system significantly more responsive) and I don't want to shorten the lifetime of my ssd.
Having this in mind, what is the best way to encrypt the system on an ssd?
You can assume that the ssd will be a samsung 830, 840 or 840 pro if this matters.
Edit
My CPU is a pretty old Core2 Duo P8700 with 2,53 GHz without AES-NI and I have only SATA II. So I want to add the question: Does it make sense at all to upgrade say to a Samsung 830 and use dm-crypt/luks or ecryptfs? Or does the CPU and SATA port slow down the SSD too much? I don't want to win any benchmark contest, just want to have an clear improvement in my system responsiveness.
I am not sure if the following is a good indicator about how fast the system will be, so it would be great if someone could comment it:
Currently I am using ecryptfs to encrypt my home partition.
An
LC_ALL=C dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc
on my encrypted home partition gives:
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 56.4674 s, 19.0 MB/s
and the CPU is working between 40 and 60%.
The same on an unencrypted partition gives
LC_ALL=C dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 29.6554 s, 36.2 MB/s
and the CPU is working between 0 and 20%.
My /tmp
folder is mounted via tempfs
i.e. it lies in RAM. Doing the same in /tmp
gives:
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 0.941708 s, 1.1 GB/s
Then I created a new ecryptfs
directory below /tmp
and did it there again.
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 10.1884 s, 105 MB/s
and one core working at 100% the other at 20%.
The creation of the ecryptfs dir was as follows:
sudo mount -t ecryptfs /tmp/encrypted/ /tmp/decrypted
As options I choosed the default ones (ubuntu-system): AES, 16 bit, no plaintext passthrough, no filename encryption.
Considering this result I would expect that the writing rate will increase from 19.0 MB/s to 105 MB/s when replacing my old WD-scorpion black 7200 with a Samsung 830 SSD and using ecryptfs. Which seems to be a clear performance improvement. I guess that dm-crypt will even be a bit faster.
Any suggestions to make more reliable tests which will predict if the SSD will bring a clear performance boost.
Edit 2
Here is a similar test in a German debian wiki using dm-crypt:
http://wiki.debianforum.de/Benchmark_f%C3%BCr_Festplattenverschl%C3%BCsselung
I did that and got ~95 MB/s.
security hardware performance encryption ssd
I consider to buy an ssd for my laptop (something like Samsung 830 or 840) to make the system more responsive. I want my system (at least my home partition) to be encrypted. However I know about rumors that there may be problems with encryption on ssd's and although that statements about this change very fast with time. Especially I don't want to have a big performance drop (as said above, I want the ssd to make the system significantly more responsive) and I don't want to shorten the lifetime of my ssd.
Having this in mind, what is the best way to encrypt the system on an ssd?
You can assume that the ssd will be a samsung 830, 840 or 840 pro if this matters.
Edit
My CPU is a pretty old Core2 Duo P8700 with 2,53 GHz without AES-NI and I have only SATA II. So I want to add the question: Does it make sense at all to upgrade say to a Samsung 830 and use dm-crypt/luks or ecryptfs? Or does the CPU and SATA port slow down the SSD too much? I don't want to win any benchmark contest, just want to have an clear improvement in my system responsiveness.
I am not sure if the following is a good indicator about how fast the system will be, so it would be great if someone could comment it:
Currently I am using ecryptfs to encrypt my home partition.
An
LC_ALL=C dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc
on my encrypted home partition gives:
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 56.4674 s, 19.0 MB/s
and the CPU is working between 40 and 60%.
The same on an unencrypted partition gives
LC_ALL=C dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 29.6554 s, 36.2 MB/s
and the CPU is working between 0 and 20%.
My /tmp
folder is mounted via tempfs
i.e. it lies in RAM. Doing the same in /tmp
gives:
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 0.941708 s, 1.1 GB/s
Then I created a new ecryptfs
directory below /tmp
and did it there again.
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 10.1884 s, 105 MB/s
and one core working at 100% the other at 20%.
The creation of the ecryptfs dir was as follows:
sudo mount -t ecryptfs /tmp/encrypted/ /tmp/decrypted
As options I choosed the default ones (ubuntu-system): AES, 16 bit, no plaintext passthrough, no filename encryption.
Considering this result I would expect that the writing rate will increase from 19.0 MB/s to 105 MB/s when replacing my old WD-scorpion black 7200 with a Samsung 830 SSD and using ecryptfs. Which seems to be a clear performance improvement. I guess that dm-crypt will even be a bit faster.
Any suggestions to make more reliable tests which will predict if the SSD will bring a clear performance boost.
Edit 2
Here is a similar test in a German debian wiki using dm-crypt:
http://wiki.debianforum.de/Benchmark_f%C3%BCr_Festplattenverschl%C3%BCsselung
I did that and got ~95 MB/s.
security hardware performance encryption ssd
security hardware performance encryption ssd
edited Aug 27 '13 at 8:38
student
asked Mar 29 '13 at 11:50
studentstudent
7,1451764124
7,1451764124
If you have AES-NI, cryptsetup/LUKS works fine (using one of the AES ciphers). Without AES-NI, you will see a performance penalty when reading/writing.cat /proc/cpuinfo
to check.
– frostschutz
Apr 9 '13 at 18:41
It seems I don't have AES-NI, it's a Core 2 Duo CPU P8700, 2.53GHz
– student
Apr 10 '13 at 15:44
add a comment |
If you have AES-NI, cryptsetup/LUKS works fine (using one of the AES ciphers). Without AES-NI, you will see a performance penalty when reading/writing.cat /proc/cpuinfo
to check.
– frostschutz
Apr 9 '13 at 18:41
It seems I don't have AES-NI, it's a Core 2 Duo CPU P8700, 2.53GHz
– student
Apr 10 '13 at 15:44
If you have AES-NI, cryptsetup/LUKS works fine (using one of the AES ciphers). Without AES-NI, you will see a performance penalty when reading/writing.
cat /proc/cpuinfo
to check.– frostschutz
Apr 9 '13 at 18:41
If you have AES-NI, cryptsetup/LUKS works fine (using one of the AES ciphers). Without AES-NI, you will see a performance penalty when reading/writing.
cat /proc/cpuinfo
to check.– frostschutz
Apr 9 '13 at 18:41
It seems I don't have AES-NI, it's a Core 2 Duo CPU P8700, 2.53GHz
– student
Apr 10 '13 at 15:44
It seems I don't have AES-NI, it's a Core 2 Duo CPU P8700, 2.53GHz
– student
Apr 10 '13 at 15:44
add a comment |
2 Answers
2
active
oldest
votes
On Linux, use dm-crypt, which is Linux's native block device encryption mechanism. Dm-crypt is supported by many distribution's installers (you may have to use the “advanced” or “server” installation media). The cryptsetup
utility manages encrypted volumes. You do need a recent version to support TRIM: kernel ≥3.1 and cryptsetup ≥1.4.
So if I choose for example the standard lvm full system encryption of ubuntu (alternate) there should be no problems concerning performance/responsiveness and lifetime of the ssd?
– student
Mar 30 '13 at 9:55
add a comment |
The SSDs you mention, Samsung 830, 840 or 840 Pro, have encryption hardware. I believe that you should use it for best performance. Be aware that there are many articles criticising early versions of most consumer-based encrypting drives firmware. Security Boulevard has another article titled: "SSD Encryption from Crucial and Samsung is not secure Exposes Data". There are ways to avoid some of those problems, see my other answer on Crypto.SE.
The hardware is something you're paid for, since enabling encryption invites no penalty compared to software encryption it makes to use it or buy a lower priced SSD.
You can enable encryption and set new passwords using a bootable USB drive with the necessary software on it. An example is offered on Puget Systems webpage: "Introduction to Self-Encrypting Drives (SED)" which offers a bootable DVD image including hdparm, another program that you can use is sedutil which is available for Linux and Windows. See also VxLabs article: "Use the hardware-based full disk encryption of your TCG Opal SSD with msed and the update linked at the bottom of the article. This article specifically mentions the Samsung 840 Pro and hdparm.
You can improve your security by using software encryption in addition to the hardware encryption on your drives, this is useful because hardware encrypted drives are only secure when powered off. An unlocked hardware encrypted drive in a powered system (such as a laptop in sleep mode) isn't secured.
Since you are using "a pretty old Core2 Duo P8700 at 2.53 GHz, without AES-NI" you should consider software other than AES 256.
Check out the various webpages about the Caesar (Competition for Authenticated Encryption: Security, Applicability, and Robustness) entries:
Mr. Julius Caesar: Round 3
Cryptographic competitions: Caesar and Submissions (hint: COLM won for robustness, Morus for speed).
Benchmarking Caesar entrants on FPGAs
You might be interested in the GitHub webpage: "MORUS-1280-256 Authenticated Cipher".
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f70498%2fbest-way-to-encrypt-my-system-on-an-ssd%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
On Linux, use dm-crypt, which is Linux's native block device encryption mechanism. Dm-crypt is supported by many distribution's installers (you may have to use the “advanced” or “server” installation media). The cryptsetup
utility manages encrypted volumes. You do need a recent version to support TRIM: kernel ≥3.1 and cryptsetup ≥1.4.
So if I choose for example the standard lvm full system encryption of ubuntu (alternate) there should be no problems concerning performance/responsiveness and lifetime of the ssd?
– student
Mar 30 '13 at 9:55
add a comment |
On Linux, use dm-crypt, which is Linux's native block device encryption mechanism. Dm-crypt is supported by many distribution's installers (you may have to use the “advanced” or “server” installation media). The cryptsetup
utility manages encrypted volumes. You do need a recent version to support TRIM: kernel ≥3.1 and cryptsetup ≥1.4.
So if I choose for example the standard lvm full system encryption of ubuntu (alternate) there should be no problems concerning performance/responsiveness and lifetime of the ssd?
– student
Mar 30 '13 at 9:55
add a comment |
On Linux, use dm-crypt, which is Linux's native block device encryption mechanism. Dm-crypt is supported by many distribution's installers (you may have to use the “advanced” or “server” installation media). The cryptsetup
utility manages encrypted volumes. You do need a recent version to support TRIM: kernel ≥3.1 and cryptsetup ≥1.4.
On Linux, use dm-crypt, which is Linux's native block device encryption mechanism. Dm-crypt is supported by many distribution's installers (you may have to use the “advanced” or “server” installation media). The cryptsetup
utility manages encrypted volumes. You do need a recent version to support TRIM: kernel ≥3.1 and cryptsetup ≥1.4.
edited Oct 11 '16 at 11:36
Anthony Geoghegan
7,76243954
7,76243954
answered Mar 30 '13 at 0:18
GillesGilles
537k12810871603
537k12810871603
So if I choose for example the standard lvm full system encryption of ubuntu (alternate) there should be no problems concerning performance/responsiveness and lifetime of the ssd?
– student
Mar 30 '13 at 9:55
add a comment |
So if I choose for example the standard lvm full system encryption of ubuntu (alternate) there should be no problems concerning performance/responsiveness and lifetime of the ssd?
– student
Mar 30 '13 at 9:55
So if I choose for example the standard lvm full system encryption of ubuntu (alternate) there should be no problems concerning performance/responsiveness and lifetime of the ssd?
– student
Mar 30 '13 at 9:55
So if I choose for example the standard lvm full system encryption of ubuntu (alternate) there should be no problems concerning performance/responsiveness and lifetime of the ssd?
– student
Mar 30 '13 at 9:55
add a comment |
The SSDs you mention, Samsung 830, 840 or 840 Pro, have encryption hardware. I believe that you should use it for best performance. Be aware that there are many articles criticising early versions of most consumer-based encrypting drives firmware. Security Boulevard has another article titled: "SSD Encryption from Crucial and Samsung is not secure Exposes Data". There are ways to avoid some of those problems, see my other answer on Crypto.SE.
The hardware is something you're paid for, since enabling encryption invites no penalty compared to software encryption it makes to use it or buy a lower priced SSD.
You can enable encryption and set new passwords using a bootable USB drive with the necessary software on it. An example is offered on Puget Systems webpage: "Introduction to Self-Encrypting Drives (SED)" which offers a bootable DVD image including hdparm, another program that you can use is sedutil which is available for Linux and Windows. See also VxLabs article: "Use the hardware-based full disk encryption of your TCG Opal SSD with msed and the update linked at the bottom of the article. This article specifically mentions the Samsung 840 Pro and hdparm.
You can improve your security by using software encryption in addition to the hardware encryption on your drives, this is useful because hardware encrypted drives are only secure when powered off. An unlocked hardware encrypted drive in a powered system (such as a laptop in sleep mode) isn't secured.
Since you are using "a pretty old Core2 Duo P8700 at 2.53 GHz, without AES-NI" you should consider software other than AES 256.
Check out the various webpages about the Caesar (Competition for Authenticated Encryption: Security, Applicability, and Robustness) entries:
Mr. Julius Caesar: Round 3
Cryptographic competitions: Caesar and Submissions (hint: COLM won for robustness, Morus for speed).
Benchmarking Caesar entrants on FPGAs
You might be interested in the GitHub webpage: "MORUS-1280-256 Authenticated Cipher".
add a comment |
The SSDs you mention, Samsung 830, 840 or 840 Pro, have encryption hardware. I believe that you should use it for best performance. Be aware that there are many articles criticising early versions of most consumer-based encrypting drives firmware. Security Boulevard has another article titled: "SSD Encryption from Crucial and Samsung is not secure Exposes Data". There are ways to avoid some of those problems, see my other answer on Crypto.SE.
The hardware is something you're paid for, since enabling encryption invites no penalty compared to software encryption it makes to use it or buy a lower priced SSD.
You can enable encryption and set new passwords using a bootable USB drive with the necessary software on it. An example is offered on Puget Systems webpage: "Introduction to Self-Encrypting Drives (SED)" which offers a bootable DVD image including hdparm, another program that you can use is sedutil which is available for Linux and Windows. See also VxLabs article: "Use the hardware-based full disk encryption of your TCG Opal SSD with msed and the update linked at the bottom of the article. This article specifically mentions the Samsung 840 Pro and hdparm.
You can improve your security by using software encryption in addition to the hardware encryption on your drives, this is useful because hardware encrypted drives are only secure when powered off. An unlocked hardware encrypted drive in a powered system (such as a laptop in sleep mode) isn't secured.
Since you are using "a pretty old Core2 Duo P8700 at 2.53 GHz, without AES-NI" you should consider software other than AES 256.
Check out the various webpages about the Caesar (Competition for Authenticated Encryption: Security, Applicability, and Robustness) entries:
Mr. Julius Caesar: Round 3
Cryptographic competitions: Caesar and Submissions (hint: COLM won for robustness, Morus for speed).
Benchmarking Caesar entrants on FPGAs
You might be interested in the GitHub webpage: "MORUS-1280-256 Authenticated Cipher".
add a comment |
The SSDs you mention, Samsung 830, 840 or 840 Pro, have encryption hardware. I believe that you should use it for best performance. Be aware that there are many articles criticising early versions of most consumer-based encrypting drives firmware. Security Boulevard has another article titled: "SSD Encryption from Crucial and Samsung is not secure Exposes Data". There are ways to avoid some of those problems, see my other answer on Crypto.SE.
The hardware is something you're paid for, since enabling encryption invites no penalty compared to software encryption it makes to use it or buy a lower priced SSD.
You can enable encryption and set new passwords using a bootable USB drive with the necessary software on it. An example is offered on Puget Systems webpage: "Introduction to Self-Encrypting Drives (SED)" which offers a bootable DVD image including hdparm, another program that you can use is sedutil which is available for Linux and Windows. See also VxLabs article: "Use the hardware-based full disk encryption of your TCG Opal SSD with msed and the update linked at the bottom of the article. This article specifically mentions the Samsung 840 Pro and hdparm.
You can improve your security by using software encryption in addition to the hardware encryption on your drives, this is useful because hardware encrypted drives are only secure when powered off. An unlocked hardware encrypted drive in a powered system (such as a laptop in sleep mode) isn't secured.
Since you are using "a pretty old Core2 Duo P8700 at 2.53 GHz, without AES-NI" you should consider software other than AES 256.
Check out the various webpages about the Caesar (Competition for Authenticated Encryption: Security, Applicability, and Robustness) entries:
Mr. Julius Caesar: Round 3
Cryptographic competitions: Caesar and Submissions (hint: COLM won for robustness, Morus for speed).
Benchmarking Caesar entrants on FPGAs
You might be interested in the GitHub webpage: "MORUS-1280-256 Authenticated Cipher".
The SSDs you mention, Samsung 830, 840 or 840 Pro, have encryption hardware. I believe that you should use it for best performance. Be aware that there are many articles criticising early versions of most consumer-based encrypting drives firmware. Security Boulevard has another article titled: "SSD Encryption from Crucial and Samsung is not secure Exposes Data". There are ways to avoid some of those problems, see my other answer on Crypto.SE.
The hardware is something you're paid for, since enabling encryption invites no penalty compared to software encryption it makes to use it or buy a lower priced SSD.
You can enable encryption and set new passwords using a bootable USB drive with the necessary software on it. An example is offered on Puget Systems webpage: "Introduction to Self-Encrypting Drives (SED)" which offers a bootable DVD image including hdparm, another program that you can use is sedutil which is available for Linux and Windows. See also VxLabs article: "Use the hardware-based full disk encryption of your TCG Opal SSD with msed and the update linked at the bottom of the article. This article specifically mentions the Samsung 840 Pro and hdparm.
You can improve your security by using software encryption in addition to the hardware encryption on your drives, this is useful because hardware encrypted drives are only secure when powered off. An unlocked hardware encrypted drive in a powered system (such as a laptop in sleep mode) isn't secured.
Since you are using "a pretty old Core2 Duo P8700 at 2.53 GHz, without AES-NI" you should consider software other than AES 256.
Check out the various webpages about the Caesar (Competition for Authenticated Encryption: Security, Applicability, and Robustness) entries:
Mr. Julius Caesar: Round 3
Cryptographic competitions: Caesar and Submissions (hint: COLM won for robustness, Morus for speed).
Benchmarking Caesar entrants on FPGAs
You might be interested in the GitHub webpage: "MORUS-1280-256 Authenticated Cipher".
answered 19 mins ago
RobRob
202129
202129
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f70498%2fbest-way-to-encrypt-my-system-on-an-ssd%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
If you have AES-NI, cryptsetup/LUKS works fine (using one of the AES ciphers). Without AES-NI, you will see a performance penalty when reading/writing.
cat /proc/cpuinfo
to check.– frostschutz
Apr 9 '13 at 18:41
It seems I don't have AES-NI, it's a Core 2 Duo CPU P8700, 2.53GHz
– student
Apr 10 '13 at 15:44