-
Garg435698
- Posts: 8
- Joined: Tue Sep 15, 2015 12:10 pm
encryption
Is there a good summary of available options for Raspbian full-disk encryption for the Pi 4's SD card, and for any attached hard drives (e.g. for an NAS server)?
Re: encryption
I think there are two evaluable options; dm-crypt with LUKS, and fscrypt.
For performance reasons, I recommend using Adiantum in both cases:
/etc/fscrypt.conf:
For performance reasons, I recommend using Adiantum in both cases:
Code: Select all
CONFIG_CRYPTO_ADIANTUM=m
CONFIG_CRYPTO_CHACHA20_NEON=m
CONFIG_CRYPTO_NHPOLY1305_NEON=m
CONFIG_FS_ENCRYPTION=yCode: Select all
> sudo cryptsetup luksFormat --type=luks2 --sector-size=4096 -c xchacha12,aes-adiantum-plain64 -s 256 -h sha512 --use-urandom /dev/device-or-partitionCode: Select all
{
"source": "custom_passphrase",
"hash_costs": {
"time": "5",
"memory": "131072",
"parallelism": "4"
},
"compatibility": "",
"options": {
"padding": "32",
"contents": "Adiantum",
"filenames": "Adiantum",
"policy_version": "2"
},
"use_fs_keyring_for_v1_policies": true
}Code: Select all
> sudo tune2fs -O encrypt /dev/partition
> sudo fscrypt encrypt /directory/path
Re: encryption
Worth noting that there's no hardware crypto on any Pi SoC, so it'll all be done in software and may have quite a hit on performance. CPU-intensive workloads may be hit hard if anything is doing disc IO at the same time, for example.
As it is apparently board policy to disallow any criticism of anything, as it appears to criticise something is to criticise all the users of that something, I will no longer be commenting in threads which are not directly relevant to my uses of the Pi.
Re: encryption
The Adiantum performs perfectly well here.
-
Garg435698
- Posts: 8
- Joined: Tue Sep 15, 2015 12:10 pm
Re: encryption
True but apparently the latest PIOS has this accelerated using NEON, so should be a bit quicker -would be interesting to see results.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed.
I've been saying "Mucho" to my Spanish friend a lot more lately. It means a lot to him.
Contrary to popular belief, humorous signatures are allowed.
I've been saying "Mucho" to my Spanish friend a lot more lately. It means a lot to him.
Re: encryption
Good news. Any idea which algorithms, and is there any attempt to port that to userland libraries?
It'll still have an impact, of course.
It'll still have an impact, of course.
As it is apparently board policy to disallow any criticism of anything, as it appears to criticise something is to criticise all the users of that something, I will no longer be commenting in threads which are not directly relevant to my uses of the Pi.
Re: encryption
No idea, Eben mentioned it in the blog post, that's all I know.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed.
I've been saying "Mucho" to my Spanish friend a lot more lately. It means a lot to him.
Contrary to popular belief, humorous signatures are allowed.
I've been saying "Mucho" to my Spanish friend a lot more lately. It means a lot to him.
Re: encryption
I must've missed that. I'll look.
Ta.
Ta.
As it is apparently board policy to disallow any criticism of anything, as it appears to criticise something is to criticise all the users of that something, I will no longer be commenting in threads which are not directly relevant to my uses of the Pi.