Garg435698
Posts: 8
Joined: Tue Sep 15, 2015 12:10 pm

encryption

Fri May 29, 2020 2:09 pm

Is there a good summary of available options for Raspbian full-disk encryption for the Pi 4's SD card, and for any attached hard drives (e.g. for an NAS server)?

Kendek
Posts: 269
Joined: Thu Jul 25, 2019 4:39 pm
Location: Kaposvár, Hungary

Re: encryption

Fri May 29, 2020 3:08 pm

I think there are two evaluable options; dm-crypt with LUKS, and fscrypt.
For performance reasons, I recommend using Adiantum in both cases:

Code: Select all

CONFIG_CRYPTO_ADIANTUM=m
CONFIG_CRYPTO_CHACHA20_NEON=m
CONFIG_CRYPTO_NHPOLY1305_NEON=m
CONFIG_FS_ENCRYPTION=y

Code: Select all

> sudo cryptsetup luksFormat --type=luks2 --sector-size=4096 -c xchacha12,aes-adiantum-plain64 -s 256 -h sha512 --use-urandom /dev/device-or-partition
/etc/fscrypt.conf:

Code: Select all

{
	"source": "custom_passphrase",
	"hash_costs": {
		"time": "5",
		"memory": "131072",
		"parallelism": "4"
	},
	"compatibility": "",
	"options": {
		"padding": "32",
		"contents": "Adiantum",
		"filenames": "Adiantum",
		"policy_version": "2"
	},
	"use_fs_keyring_for_v1_policies": true
}

Code: Select all

> sudo tune2fs -O encrypt /dev/partition
> sudo fscrypt encrypt /directory/path

User avatar
dickon
Posts: 1876
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, just outside Reading

Re: encryption

Fri May 29, 2020 3:19 pm

Worth noting that there's no hardware crypto on any Pi SoC, so it'll all be done in software and may have quite a hit on performance. CPU-intensive workloads may be hit hard if anything is doing disc IO at the same time, for example.
As it is apparently board policy to disallow any criticism of anything, as it appears to criticise something is to criticise all the users of that something, I will no longer be commenting in threads which are not directly relevant to my uses of the Pi.

Kendek
Posts: 269
Joined: Thu Jul 25, 2019 4:39 pm
Location: Kaposvár, Hungary

Re: encryption

Fri May 29, 2020 3:23 pm

dickon wrote:
Fri May 29, 2020 3:19 pm
Worth noting that there's no hardware crypto on any Pi SoC, so it'll all be done in software and may have quite a hit on performance. CPU-intensive workloads may be hit hard if anything is doing disc IO at the same time, for example.
The Adiantum performs perfectly well here. ;)

Garg435698
Posts: 8
Joined: Tue Sep 15, 2015 12:10 pm

Re: encryption

Sun May 31, 2020 7:33 pm

Kendek wrote:
Fri May 29, 2020 3:08 pm
I think there are two evaluable options; dm-crypt with LUKS, and fscrypt.
For performance reasons, I recommend using Adiantum in both cases:
Thanks, I'll give it a try.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 27726
Joined: Sat Jul 30, 2011 7:41 pm

Re: encryption

Sun May 31, 2020 9:40 pm

dickon wrote:
Fri May 29, 2020 3:19 pm
Worth noting that there's no hardware crypto on any Pi SoC, so it'll all be done in software and may have quite a hit on performance. CPU-intensive workloads may be hit hard if anything is doing disc IO at the same time, for example.
True but apparently the latest PIOS has this accelerated using NEON, so should be a bit quicker -would be interesting to see results.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed.
I've been saying "Mucho" to my Spanish friend a lot more lately. It means a lot to him.

User avatar
dickon
Posts: 1876
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, just outside Reading

Re: encryption

Sun May 31, 2020 9:52 pm

Good news. Any idea which algorithms, and is there any attempt to port that to userland libraries?

It'll still have an impact, of course.
As it is apparently board policy to disallow any criticism of anything, as it appears to criticise something is to criticise all the users of that something, I will no longer be commenting in threads which are not directly relevant to my uses of the Pi.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 27726
Joined: Sat Jul 30, 2011 7:41 pm

Re: encryption

Sun May 31, 2020 10:00 pm

dickon wrote:
Sun May 31, 2020 9:52 pm
Good news. Any idea which algorithms, and is there any attempt to port that to userland libraries?

It'll still have an impact, of course.
No idea, Eben mentioned it in the blog post, that's all I know.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed.
I've been saying "Mucho" to my Spanish friend a lot more lately. It means a lot to him.

User avatar
dickon
Posts: 1876
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, just outside Reading

Re: encryption

Sun May 31, 2020 10:02 pm

I must've missed that. I'll look.

Ta.
As it is apparently board policy to disallow any criticism of anything, as it appears to criticise something is to criticise all the users of that something, I will no longer be commenting in threads which are not directly relevant to my uses of the Pi.

Return to “General discussion”