lowfat
Posts: 11
Joined: Tue Sep 24, 2019 7:22 pm

Encrypted drives

Sat Sep 28, 2019 12:07 pm

Hi all,
Debian supports encrypted file systems such as the root file system but does Raspbian include that functionality?
What about encrypted thumb drives?
Thanks.

User avatar
DougieLawson
Posts: 37699
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Encrypted drives

Sat Sep 28, 2019 12:10 pm

It is possible to install luks on a Raspberry, but there's no permanent BIOS NVRAM in which to store a key.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.

Kendek
Posts: 145
Joined: Thu Jul 25, 2019 4:39 pm
Location: Kaposvár, Hungary

Re: Encrypted drives

Sat Sep 28, 2019 12:55 pm

The RPi4 doesn't have hardware-accelerated AES support, so the encryption is not very fast. The Google Adiantum performs better if you want an encrypted partition with LUKS.

Code: Select all

cryptsetup luksFormat --type=luks2 --sector-size=4096 -c xchacha12,aes-adiantum-plain64 -s 256 -h sha512 --use-urandom /dev/sdXN

Code: Select all

> cryptsetup benchmark
#     Algorithm |       Key |      Encryption |      Decryption
        aes-cbc        128b        25,1 MiB/s        83,3 MiB/s
        aes-cbc        256b        18,3 MiB/s        63,5 MiB/s
        aes-xts        256b        92,3 MiB/s        81,8 MiB/s
        aes-xts        512b        71,3 MiB/s        62,0 MiB/s

> cryptsetup benchmark -c xchacha12,aes-adiantum
#            Algorithm |       Key |      Encryption |      Decryption
xchacha12,aes-adiantum        256b       224,2 MiB/s       225,0 MiB/s

> cryptsetup benchmark -c xchacha20,aes-adiantum
#            Algorithm |       Key |      Encryption |      Decryption
xchacha20,aes-adiantum        256b       185,2 MiB/s       185,8 MiB/s
My setup:

Code: Select all

> lsb_release -a
Distributor ID:	Ubuntu
Description:	Ubuntu Eoan Ermine (development branch)
Release:	19.10
Codename:	eoan

> uname -a
Linux RPI4 5.3.0-v8 #1 SMP PREEMPT Sat Sep 28 11:56:55 CEST 2019 aarch64 aarch64 aarch64 GNU/Linux

lowfat
Posts: 11
Joined: Tue Sep 24, 2019 7:22 pm

Re: Encrypted drives

Sat Sep 28, 2019 5:40 pm

DougieLawson wrote:
Sat Sep 28, 2019 12:10 pm
It is possible to install luks on a Raspberry, but there's no permanent BIOS NVRAM in which to store a key.
I'm OK with entering the password at boot-up if the bootloader supports that.

Kendek
Posts: 145
Joined: Thu Jul 25, 2019 4:39 pm
Location: Kaposvár, Hungary

Re: Encrypted drives

Sat Sep 28, 2019 6:05 pm

lowfat wrote:
Sat Sep 28, 2019 5:40 pm
I'm OK with entering the password at boot-up if the bootloader supports that.
You will need initramfs if you want to encrypt the system partition.

rpi4a
Posts: 1
Joined: Sun Jan 05, 2020 5:58 pm

Re: Encrypted drives

Sun Jan 05, 2020 6:05 pm

Kendek wrote:
Sat Sep 28, 2019 12:55 pm

Code: Select all

> cryptsetup benchmark
#     Algorithm |       Key |      Encryption |      Decryption
        aes-cbc        128b        25,1 MiB/s        83,3 MiB/s
        aes-cbc        256b        18,3 MiB/s        63,5 MiB/s
        aes-xts        256b        92,3 MiB/s        81,8 MiB/s
        aes-xts        512b        71,3 MiB/s        62,0 MiB/s        
Not bad! I have a Pentium T4300 that runs at 2.1GHz but is only about 10% faster than this.

However my Core i5 2.7 GHz is over 20 times faster:

Code: Select all

        aes-cbc        128b       585.3 MiB/s      2366.0 MiB/s
        aes-cbc        256b       433.8 MiB/s      1855.9 MiB/s
        aes-xts        256b      1589.4 MiB/s      1593.7 MiB/s
        aes-xts        512b      1294.7 MiB/s      1293.2 MiB/s

Return to “General discussion”