Page 1 of 1

encryption

Posted: Fri May 29, 2020 2:09 pm
by Garg435698
Is there a good summary of available options for Raspbian full-disk encryption for the Pi 4's SD card, and for any attached hard drives (e.g. for an NAS server)?

Re: encryption

Posted: Fri May 29, 2020 3:08 pm
by Kendek
I think there are two evaluable options; dm-crypt with LUKS, and fscrypt.
For performance reasons, I recommend using Adiantum in both cases:

Code: Select all

CONFIG_CRYPTO_ADIANTUM=m
CONFIG_CRYPTO_CHACHA20_NEON=m
CONFIG_CRYPTO_NHPOLY1305_NEON=m
CONFIG_FS_ENCRYPTION=y

Code: Select all

> sudo cryptsetup luksFormat --type=luks2 --sector-size=4096 -c xchacha12,aes-adiantum-plain64 -s 256 -h sha512 --use-urandom /dev/device-or-partition
/etc/fscrypt.conf:

Code: Select all

{
	"source": "custom_passphrase",
	"hash_costs": {
		"time": "5",
		"memory": "131072",
		"parallelism": "4"
	},
	"compatibility": "",
	"options": {
		"padding": "32",
		"contents": "Adiantum",
		"filenames": "Adiantum",
		"policy_version": "2"
	},
	"use_fs_keyring_for_v1_policies": true
}

Code: Select all

> sudo tune2fs -O encrypt /dev/partition
> sudo fscrypt encrypt /directory/path

Re: encryption

Posted: Fri May 29, 2020 3:19 pm
by dickon
Worth noting that there's no hardware crypto on any Pi SoC, so it'll all be done in software and may have quite a hit on performance. CPU-intensive workloads may be hit hard if anything is doing disc IO at the same time, for example.

Re: encryption

Posted: Fri May 29, 2020 3:23 pm
by Kendek
dickon wrote:
Fri May 29, 2020 3:19 pm
Worth noting that there's no hardware crypto on any Pi SoC, so it'll all be done in software and may have quite a hit on performance. CPU-intensive workloads may be hit hard if anything is doing disc IO at the same time, for example.
The Adiantum performs perfectly well here. ;)

Re: encryption

Posted: Sun May 31, 2020 7:33 pm
by Garg435698
Kendek wrote:
Fri May 29, 2020 3:08 pm
I think there are two evaluable options; dm-crypt with LUKS, and fscrypt.
For performance reasons, I recommend using Adiantum in both cases:
Thanks, I'll give it a try.

Re: encryption

Posted: Sun May 31, 2020 9:40 pm
by jamesh
dickon wrote:
Fri May 29, 2020 3:19 pm
Worth noting that there's no hardware crypto on any Pi SoC, so it'll all be done in software and may have quite a hit on performance. CPU-intensive workloads may be hit hard if anything is doing disc IO at the same time, for example.
True but apparently the latest PIOS has this accelerated using NEON, so should be a bit quicker -would be interesting to see results.

Re: encryption

Posted: Sun May 31, 2020 9:52 pm
by dickon
Good news. Any idea which algorithms, and is there any attempt to port that to userland libraries?

It'll still have an impact, of course.

Re: encryption

Posted: Sun May 31, 2020 10:00 pm
by jamesh
dickon wrote:
Sun May 31, 2020 9:52 pm
Good news. Any idea which algorithms, and is there any attempt to port that to userland libraries?

It'll still have an impact, of course.
No idea, Eben mentioned it in the blog post, that's all I know.

Re: encryption

Posted: Sun May 31, 2020 10:02 pm
by dickon
I must've missed that. I'll look.

Ta.