Best way to encrypt my system on an ssd












4















I consider to buy an ssd for my laptop (something like Samsung 830 or 840) to make the system more responsive. I want my system (at least my home partition) to be encrypted. However I know about rumors that there may be problems with encryption on ssd's and although that statements about this change very fast with time. Especially I don't want to have a big performance drop (as said above, I want the ssd to make the system significantly more responsive) and I don't want to shorten the lifetime of my ssd.



Having this in mind, what is the best way to encrypt the system on an ssd?



You can assume that the ssd will be a samsung 830, 840 or 840 pro if this matters.



Edit



My CPU is a pretty old Core2 Duo P8700 with 2,53 GHz without AES-NI and I have only SATA II. So I want to add the question: Does it make sense at all to upgrade say to a Samsung 830 and use dm-crypt/luks or ecryptfs? Or does the CPU and SATA port slow down the SSD too much? I don't want to win any benchmark contest, just want to have an clear improvement in my system responsiveness.



I am not sure if the following is a good indicator about how fast the system will be, so it would be great if someone could comment it:



Currently I am using ecryptfs to encrypt my home partition.



An



LC_ALL=C dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc on my encrypted home partition gives:



1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 56.4674 s, 19.0 MB/s


and the CPU is working between 40 and 60%.



The same on an unencrypted partition gives



LC_ALL=C dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 29.6554 s, 36.2 MB/s


and the CPU is working between 0 and 20%.



My /tmp folder is mounted via tempfs i.e. it lies in RAM. Doing the same in /tmp gives:



1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 0.941708 s, 1.1 GB/s


Then I created a new ecryptfs directory below /tmp and did it there again.



1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 10.1884 s, 105 MB/s


and one core working at 100% the other at 20%.



The creation of the ecryptfs dir was as follows:



sudo mount -t ecryptfs /tmp/encrypted/ /tmp/decrypted



As options I choosed the default ones (ubuntu-system): AES, 16 bit, no plaintext passthrough, no filename encryption.



Considering this result I would expect that the writing rate will increase from 19.0 MB/s to 105 MB/s when replacing my old WD-scorpion black 7200 with a Samsung 830 SSD and using ecryptfs. Which seems to be a clear performance improvement. I guess that dm-crypt will even be a bit faster.



Any suggestions to make more reliable tests which will predict if the SSD will bring a clear performance boost.



Edit 2
Here is a similar test in a German debian wiki using dm-crypt:
http://wiki.debianforum.de/Benchmark_f%C3%BCr_Festplattenverschl%C3%BCsselung



I did that and got ~95 MB/s.










share|improve this question

























  • If you have AES-NI, cryptsetup/LUKS works fine (using one of the AES ciphers). Without AES-NI, you will see a performance penalty when reading/writing. cat /proc/cpuinfo to check.

    – frostschutz
    Apr 9 '13 at 18:41











  • It seems I don't have AES-NI, it's a Core 2 Duo CPU P8700, 2.53GHz

    – student
    Apr 10 '13 at 15:44
















4















I consider to buy an ssd for my laptop (something like Samsung 830 or 840) to make the system more responsive. I want my system (at least my home partition) to be encrypted. However I know about rumors that there may be problems with encryption on ssd's and although that statements about this change very fast with time. Especially I don't want to have a big performance drop (as said above, I want the ssd to make the system significantly more responsive) and I don't want to shorten the lifetime of my ssd.



Having this in mind, what is the best way to encrypt the system on an ssd?



You can assume that the ssd will be a samsung 830, 840 or 840 pro if this matters.



Edit



My CPU is a pretty old Core2 Duo P8700 with 2,53 GHz without AES-NI and I have only SATA II. So I want to add the question: Does it make sense at all to upgrade say to a Samsung 830 and use dm-crypt/luks or ecryptfs? Or does the CPU and SATA port slow down the SSD too much? I don't want to win any benchmark contest, just want to have an clear improvement in my system responsiveness.



I am not sure if the following is a good indicator about how fast the system will be, so it would be great if someone could comment it:



Currently I am using ecryptfs to encrypt my home partition.



An



LC_ALL=C dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc on my encrypted home partition gives:



1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 56.4674 s, 19.0 MB/s


and the CPU is working between 40 and 60%.



The same on an unencrypted partition gives



LC_ALL=C dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 29.6554 s, 36.2 MB/s


and the CPU is working between 0 and 20%.



My /tmp folder is mounted via tempfs i.e. it lies in RAM. Doing the same in /tmp gives:



1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 0.941708 s, 1.1 GB/s


Then I created a new ecryptfs directory below /tmp and did it there again.



1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 10.1884 s, 105 MB/s


and one core working at 100% the other at 20%.



The creation of the ecryptfs dir was as follows:



sudo mount -t ecryptfs /tmp/encrypted/ /tmp/decrypted



As options I choosed the default ones (ubuntu-system): AES, 16 bit, no plaintext passthrough, no filename encryption.



Considering this result I would expect that the writing rate will increase from 19.0 MB/s to 105 MB/s when replacing my old WD-scorpion black 7200 with a Samsung 830 SSD and using ecryptfs. Which seems to be a clear performance improvement. I guess that dm-crypt will even be a bit faster.



Any suggestions to make more reliable tests which will predict if the SSD will bring a clear performance boost.



Edit 2
Here is a similar test in a German debian wiki using dm-crypt:
http://wiki.debianforum.de/Benchmark_f%C3%BCr_Festplattenverschl%C3%BCsselung



I did that and got ~95 MB/s.










share|improve this question

























  • If you have AES-NI, cryptsetup/LUKS works fine (using one of the AES ciphers). Without AES-NI, you will see a performance penalty when reading/writing. cat /proc/cpuinfo to check.

    – frostschutz
    Apr 9 '13 at 18:41











  • It seems I don't have AES-NI, it's a Core 2 Duo CPU P8700, 2.53GHz

    – student
    Apr 10 '13 at 15:44














4












4








4


2






I consider to buy an ssd for my laptop (something like Samsung 830 or 840) to make the system more responsive. I want my system (at least my home partition) to be encrypted. However I know about rumors that there may be problems with encryption on ssd's and although that statements about this change very fast with time. Especially I don't want to have a big performance drop (as said above, I want the ssd to make the system significantly more responsive) and I don't want to shorten the lifetime of my ssd.



Having this in mind, what is the best way to encrypt the system on an ssd?



You can assume that the ssd will be a samsung 830, 840 or 840 pro if this matters.



Edit



My CPU is a pretty old Core2 Duo P8700 with 2,53 GHz without AES-NI and I have only SATA II. So I want to add the question: Does it make sense at all to upgrade say to a Samsung 830 and use dm-crypt/luks or ecryptfs? Or does the CPU and SATA port slow down the SSD too much? I don't want to win any benchmark contest, just want to have an clear improvement in my system responsiveness.



I am not sure if the following is a good indicator about how fast the system will be, so it would be great if someone could comment it:



Currently I am using ecryptfs to encrypt my home partition.



An



LC_ALL=C dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc on my encrypted home partition gives:



1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 56.4674 s, 19.0 MB/s


and the CPU is working between 40 and 60%.



The same on an unencrypted partition gives



LC_ALL=C dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 29.6554 s, 36.2 MB/s


and the CPU is working between 0 and 20%.



My /tmp folder is mounted via tempfs i.e. it lies in RAM. Doing the same in /tmp gives:



1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 0.941708 s, 1.1 GB/s


Then I created a new ecryptfs directory below /tmp and did it there again.



1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 10.1884 s, 105 MB/s


and one core working at 100% the other at 20%.



The creation of the ecryptfs dir was as follows:



sudo mount -t ecryptfs /tmp/encrypted/ /tmp/decrypted



As options I choosed the default ones (ubuntu-system): AES, 16 bit, no plaintext passthrough, no filename encryption.



Considering this result I would expect that the writing rate will increase from 19.0 MB/s to 105 MB/s when replacing my old WD-scorpion black 7200 with a Samsung 830 SSD and using ecryptfs. Which seems to be a clear performance improvement. I guess that dm-crypt will even be a bit faster.



Any suggestions to make more reliable tests which will predict if the SSD will bring a clear performance boost.



Edit 2
Here is a similar test in a German debian wiki using dm-crypt:
http://wiki.debianforum.de/Benchmark_f%C3%BCr_Festplattenverschl%C3%BCsselung



I did that and got ~95 MB/s.










share|improve this question
















I consider to buy an ssd for my laptop (something like Samsung 830 or 840) to make the system more responsive. I want my system (at least my home partition) to be encrypted. However I know about rumors that there may be problems with encryption on ssd's and although that statements about this change very fast with time. Especially I don't want to have a big performance drop (as said above, I want the ssd to make the system significantly more responsive) and I don't want to shorten the lifetime of my ssd.



Having this in mind, what is the best way to encrypt the system on an ssd?



You can assume that the ssd will be a samsung 830, 840 or 840 pro if this matters.



Edit



My CPU is a pretty old Core2 Duo P8700 with 2,53 GHz without AES-NI and I have only SATA II. So I want to add the question: Does it make sense at all to upgrade say to a Samsung 830 and use dm-crypt/luks or ecryptfs? Or does the CPU and SATA port slow down the SSD too much? I don't want to win any benchmark contest, just want to have an clear improvement in my system responsiveness.



I am not sure if the following is a good indicator about how fast the system will be, so it would be great if someone could comment it:



Currently I am using ecryptfs to encrypt my home partition.



An



LC_ALL=C dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc on my encrypted home partition gives:



1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 56.4674 s, 19.0 MB/s


and the CPU is working between 40 and 60%.



The same on an unencrypted partition gives



LC_ALL=C dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 29.6554 s, 36.2 MB/s


and the CPU is working between 0 and 20%.



My /tmp folder is mounted via tempfs i.e. it lies in RAM. Doing the same in /tmp gives:



1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 0.941708 s, 1.1 GB/s


Then I created a new ecryptfs directory below /tmp and did it there again.



1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB) copied, 10.1884 s, 105 MB/s


and one core working at 100% the other at 20%.



The creation of the ecryptfs dir was as follows:



sudo mount -t ecryptfs /tmp/encrypted/ /tmp/decrypted



As options I choosed the default ones (ubuntu-system): AES, 16 bit, no plaintext passthrough, no filename encryption.



Considering this result I would expect that the writing rate will increase from 19.0 MB/s to 105 MB/s when replacing my old WD-scorpion black 7200 with a Samsung 830 SSD and using ecryptfs. Which seems to be a clear performance improvement. I guess that dm-crypt will even be a bit faster.



Any suggestions to make more reliable tests which will predict if the SSD will bring a clear performance boost.



Edit 2
Here is a similar test in a German debian wiki using dm-crypt:
http://wiki.debianforum.de/Benchmark_f%C3%BCr_Festplattenverschl%C3%BCsselung



I did that and got ~95 MB/s.







security hardware performance encryption ssd






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Aug 27 '13 at 8:38







student

















asked Mar 29 '13 at 11:50









studentstudent

7,1451764124




7,1451764124













  • If you have AES-NI, cryptsetup/LUKS works fine (using one of the AES ciphers). Without AES-NI, you will see a performance penalty when reading/writing. cat /proc/cpuinfo to check.

    – frostschutz
    Apr 9 '13 at 18:41











  • It seems I don't have AES-NI, it's a Core 2 Duo CPU P8700, 2.53GHz

    – student
    Apr 10 '13 at 15:44



















  • If you have AES-NI, cryptsetup/LUKS works fine (using one of the AES ciphers). Without AES-NI, you will see a performance penalty when reading/writing. cat /proc/cpuinfo to check.

    – frostschutz
    Apr 9 '13 at 18:41











  • It seems I don't have AES-NI, it's a Core 2 Duo CPU P8700, 2.53GHz

    – student
    Apr 10 '13 at 15:44

















If you have AES-NI, cryptsetup/LUKS works fine (using one of the AES ciphers). Without AES-NI, you will see a performance penalty when reading/writing. cat /proc/cpuinfo to check.

– frostschutz
Apr 9 '13 at 18:41





If you have AES-NI, cryptsetup/LUKS works fine (using one of the AES ciphers). Without AES-NI, you will see a performance penalty when reading/writing. cat /proc/cpuinfo to check.

– frostschutz
Apr 9 '13 at 18:41













It seems I don't have AES-NI, it's a Core 2 Duo CPU P8700, 2.53GHz

– student
Apr 10 '13 at 15:44





It seems I don't have AES-NI, it's a Core 2 Duo CPU P8700, 2.53GHz

– student
Apr 10 '13 at 15:44










2 Answers
2






active

oldest

votes


















2














On Linux, use dm-crypt, which is Linux's native block device encryption mechanism. Dm-crypt is supported by many distribution's installers (you may have to use the “advanced” or “server” installation media). The cryptsetup utility manages encrypted volumes. You do need a recent version to support TRIM: kernel ≥3.1 and cryptsetup ≥1.4.






share|improve this answer


























  • So if I choose for example the standard lvm full system encryption of ubuntu (alternate) there should be no problems concerning performance/responsiveness and lifetime of the ssd?

    – student
    Mar 30 '13 at 9:55



















0














The SSDs you mention, Samsung 830, 840 or 840 Pro, have encryption hardware. I believe that you should use it for best performance. Be aware that there are many articles criticising early versions of most consumer-based encrypting drives firmware. Security Boulevard has another article titled: "SSD Encryption from Crucial and Samsung is not secure Exposes Data". There are ways to avoid some of those problems, see my other answer on Crypto.SE.



The hardware is something you're paid for, since enabling encryption invites no penalty compared to software encryption it makes to use it or buy a lower priced SSD.



You can enable encryption and set new passwords using a bootable USB drive with the necessary software on it. An example is offered on Puget Systems webpage: "Introduction to Self-Encrypting Drives (SED)" which offers a bootable DVD image including hdparm, another program that you can use is sedutil which is available for Linux and Windows. See also VxLabs article: "Use the hardware-based full disk encryption of your TCG Opal SSD with msed and the update linked at the bottom of the article. This article specifically mentions the Samsung 840 Pro and hdparm.



You can improve your security by using software encryption in addition to the hardware encryption on your drives, this is useful because hardware encrypted drives are only secure when powered off. An unlocked hardware encrypted drive in a powered system (such as a laptop in sleep mode) isn't secured.



Since you are using "a pretty old Core2 Duo P8700 at 2.53 GHz, without AES-NI" you should consider software other than AES 256.



Check out the various webpages about the Caesar (Competition for Authenticated Encryption: Security, Applicability, and Robustness) entries:




  • Mr. Julius Caesar: Round 3


  • Cryptographic competitions: Caesar and Submissions (hint: COLM won for robustness, Morus for speed).


  • Benchmarking Caesar entrants on FPGAs



You might be interested in the GitHub webpage: "MORUS-1280-256 Authenticated Cipher".






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f70498%2fbest-way-to-encrypt-my-system-on-an-ssd%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    2














    On Linux, use dm-crypt, which is Linux's native block device encryption mechanism. Dm-crypt is supported by many distribution's installers (you may have to use the “advanced” or “server” installation media). The cryptsetup utility manages encrypted volumes. You do need a recent version to support TRIM: kernel ≥3.1 and cryptsetup ≥1.4.






    share|improve this answer


























    • So if I choose for example the standard lvm full system encryption of ubuntu (alternate) there should be no problems concerning performance/responsiveness and lifetime of the ssd?

      – student
      Mar 30 '13 at 9:55
















    2














    On Linux, use dm-crypt, which is Linux's native block device encryption mechanism. Dm-crypt is supported by many distribution's installers (you may have to use the “advanced” or “server” installation media). The cryptsetup utility manages encrypted volumes. You do need a recent version to support TRIM: kernel ≥3.1 and cryptsetup ≥1.4.






    share|improve this answer


























    • So if I choose for example the standard lvm full system encryption of ubuntu (alternate) there should be no problems concerning performance/responsiveness and lifetime of the ssd?

      – student
      Mar 30 '13 at 9:55














    2












    2








    2







    On Linux, use dm-crypt, which is Linux's native block device encryption mechanism. Dm-crypt is supported by many distribution's installers (you may have to use the “advanced” or “server” installation media). The cryptsetup utility manages encrypted volumes. You do need a recent version to support TRIM: kernel ≥3.1 and cryptsetup ≥1.4.






    share|improve this answer















    On Linux, use dm-crypt, which is Linux's native block device encryption mechanism. Dm-crypt is supported by many distribution's installers (you may have to use the “advanced” or “server” installation media). The cryptsetup utility manages encrypted volumes. You do need a recent version to support TRIM: kernel ≥3.1 and cryptsetup ≥1.4.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Oct 11 '16 at 11:36









    Anthony Geoghegan

    7,76243954




    7,76243954










    answered Mar 30 '13 at 0:18









    GillesGilles

    537k12810871603




    537k12810871603













    • So if I choose for example the standard lvm full system encryption of ubuntu (alternate) there should be no problems concerning performance/responsiveness and lifetime of the ssd?

      – student
      Mar 30 '13 at 9:55



















    • So if I choose for example the standard lvm full system encryption of ubuntu (alternate) there should be no problems concerning performance/responsiveness and lifetime of the ssd?

      – student
      Mar 30 '13 at 9:55

















    So if I choose for example the standard lvm full system encryption of ubuntu (alternate) there should be no problems concerning performance/responsiveness and lifetime of the ssd?

    – student
    Mar 30 '13 at 9:55





    So if I choose for example the standard lvm full system encryption of ubuntu (alternate) there should be no problems concerning performance/responsiveness and lifetime of the ssd?

    – student
    Mar 30 '13 at 9:55













    0














    The SSDs you mention, Samsung 830, 840 or 840 Pro, have encryption hardware. I believe that you should use it for best performance. Be aware that there are many articles criticising early versions of most consumer-based encrypting drives firmware. Security Boulevard has another article titled: "SSD Encryption from Crucial and Samsung is not secure Exposes Data". There are ways to avoid some of those problems, see my other answer on Crypto.SE.



    The hardware is something you're paid for, since enabling encryption invites no penalty compared to software encryption it makes to use it or buy a lower priced SSD.



    You can enable encryption and set new passwords using a bootable USB drive with the necessary software on it. An example is offered on Puget Systems webpage: "Introduction to Self-Encrypting Drives (SED)" which offers a bootable DVD image including hdparm, another program that you can use is sedutil which is available for Linux and Windows. See also VxLabs article: "Use the hardware-based full disk encryption of your TCG Opal SSD with msed and the update linked at the bottom of the article. This article specifically mentions the Samsung 840 Pro and hdparm.



    You can improve your security by using software encryption in addition to the hardware encryption on your drives, this is useful because hardware encrypted drives are only secure when powered off. An unlocked hardware encrypted drive in a powered system (such as a laptop in sleep mode) isn't secured.



    Since you are using "a pretty old Core2 Duo P8700 at 2.53 GHz, without AES-NI" you should consider software other than AES 256.



    Check out the various webpages about the Caesar (Competition for Authenticated Encryption: Security, Applicability, and Robustness) entries:




    • Mr. Julius Caesar: Round 3


    • Cryptographic competitions: Caesar and Submissions (hint: COLM won for robustness, Morus for speed).


    • Benchmarking Caesar entrants on FPGAs



    You might be interested in the GitHub webpage: "MORUS-1280-256 Authenticated Cipher".






    share|improve this answer




























      0














      The SSDs you mention, Samsung 830, 840 or 840 Pro, have encryption hardware. I believe that you should use it for best performance. Be aware that there are many articles criticising early versions of most consumer-based encrypting drives firmware. Security Boulevard has another article titled: "SSD Encryption from Crucial and Samsung is not secure Exposes Data". There are ways to avoid some of those problems, see my other answer on Crypto.SE.



      The hardware is something you're paid for, since enabling encryption invites no penalty compared to software encryption it makes to use it or buy a lower priced SSD.



      You can enable encryption and set new passwords using a bootable USB drive with the necessary software on it. An example is offered on Puget Systems webpage: "Introduction to Self-Encrypting Drives (SED)" which offers a bootable DVD image including hdparm, another program that you can use is sedutil which is available for Linux and Windows. See also VxLabs article: "Use the hardware-based full disk encryption of your TCG Opal SSD with msed and the update linked at the bottom of the article. This article specifically mentions the Samsung 840 Pro and hdparm.



      You can improve your security by using software encryption in addition to the hardware encryption on your drives, this is useful because hardware encrypted drives are only secure when powered off. An unlocked hardware encrypted drive in a powered system (such as a laptop in sleep mode) isn't secured.



      Since you are using "a pretty old Core2 Duo P8700 at 2.53 GHz, without AES-NI" you should consider software other than AES 256.



      Check out the various webpages about the Caesar (Competition for Authenticated Encryption: Security, Applicability, and Robustness) entries:




      • Mr. Julius Caesar: Round 3


      • Cryptographic competitions: Caesar and Submissions (hint: COLM won for robustness, Morus for speed).


      • Benchmarking Caesar entrants on FPGAs



      You might be interested in the GitHub webpage: "MORUS-1280-256 Authenticated Cipher".






      share|improve this answer


























        0












        0








        0







        The SSDs you mention, Samsung 830, 840 or 840 Pro, have encryption hardware. I believe that you should use it for best performance. Be aware that there are many articles criticising early versions of most consumer-based encrypting drives firmware. Security Boulevard has another article titled: "SSD Encryption from Crucial and Samsung is not secure Exposes Data". There are ways to avoid some of those problems, see my other answer on Crypto.SE.



        The hardware is something you're paid for, since enabling encryption invites no penalty compared to software encryption it makes to use it or buy a lower priced SSD.



        You can enable encryption and set new passwords using a bootable USB drive with the necessary software on it. An example is offered on Puget Systems webpage: "Introduction to Self-Encrypting Drives (SED)" which offers a bootable DVD image including hdparm, another program that you can use is sedutil which is available for Linux and Windows. See also VxLabs article: "Use the hardware-based full disk encryption of your TCG Opal SSD with msed and the update linked at the bottom of the article. This article specifically mentions the Samsung 840 Pro and hdparm.



        You can improve your security by using software encryption in addition to the hardware encryption on your drives, this is useful because hardware encrypted drives are only secure when powered off. An unlocked hardware encrypted drive in a powered system (such as a laptop in sleep mode) isn't secured.



        Since you are using "a pretty old Core2 Duo P8700 at 2.53 GHz, without AES-NI" you should consider software other than AES 256.



        Check out the various webpages about the Caesar (Competition for Authenticated Encryption: Security, Applicability, and Robustness) entries:




        • Mr. Julius Caesar: Round 3


        • Cryptographic competitions: Caesar and Submissions (hint: COLM won for robustness, Morus for speed).


        • Benchmarking Caesar entrants on FPGAs



        You might be interested in the GitHub webpage: "MORUS-1280-256 Authenticated Cipher".






        share|improve this answer













        The SSDs you mention, Samsung 830, 840 or 840 Pro, have encryption hardware. I believe that you should use it for best performance. Be aware that there are many articles criticising early versions of most consumer-based encrypting drives firmware. Security Boulevard has another article titled: "SSD Encryption from Crucial and Samsung is not secure Exposes Data". There are ways to avoid some of those problems, see my other answer on Crypto.SE.



        The hardware is something you're paid for, since enabling encryption invites no penalty compared to software encryption it makes to use it or buy a lower priced SSD.



        You can enable encryption and set new passwords using a bootable USB drive with the necessary software on it. An example is offered on Puget Systems webpage: "Introduction to Self-Encrypting Drives (SED)" which offers a bootable DVD image including hdparm, another program that you can use is sedutil which is available for Linux and Windows. See also VxLabs article: "Use the hardware-based full disk encryption of your TCG Opal SSD with msed and the update linked at the bottom of the article. This article specifically mentions the Samsung 840 Pro and hdparm.



        You can improve your security by using software encryption in addition to the hardware encryption on your drives, this is useful because hardware encrypted drives are only secure when powered off. An unlocked hardware encrypted drive in a powered system (such as a laptop in sleep mode) isn't secured.



        Since you are using "a pretty old Core2 Duo P8700 at 2.53 GHz, without AES-NI" you should consider software other than AES 256.



        Check out the various webpages about the Caesar (Competition for Authenticated Encryption: Security, Applicability, and Robustness) entries:




        • Mr. Julius Caesar: Round 3


        • Cryptographic competitions: Caesar and Submissions (hint: COLM won for robustness, Morus for speed).


        • Benchmarking Caesar entrants on FPGAs



        You might be interested in the GitHub webpage: "MORUS-1280-256 Authenticated Cipher".







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 19 mins ago









        RobRob

        202129




        202129






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f70498%2fbest-way-to-encrypt-my-system-on-an-ssd%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Accessing regular linux commands in Huawei's Dopra Linux

            Can't connect RFCOMM socket: Host is down

            Kernel panic - not syncing: Fatal Exception in Interrupt