dm-crypt on Eee PC 901

19.12.2010 20:23

After making sure my data wouldn't be more vulnerable to disk failure I decided to use dm-crypt to encrypt the partition holding my home directory on Eee PC 901.

I'm leaving the root partition unencrypted for now and I only encrypted the second, 16 GB built-in SSD drive that I mount as my home directory. It's LUKS formatted using default settings (128-bit AES). I'm using pam-mount to mount the drive at login-time.

Setting this up following examples in README.Debian in libpam-mount package was mostly painless. The only problem I encountered was the fact that libpam-mount is slightly broken in Debian Lenny and required the following small fix to the mount.crypt utility to be actually able to mount encrypted drives:

--- libpam-mount-0.44.orig/scripts/mount.crypt	2010-12-18 19:30:27.000000000 +0100
+++ libpam-mount-0.44/scripts/mount.crypt	2010-12-18 17:21:16.000000000 +0100
@@ -57,7 +57,7 @@
 		exit 0;
 		;;
 	(-o)
-		OPTIONS="$2";
+		OPTIONS="${2/# /}";
 		shift 2;
 		;;
 	(--)

The GNOME Desktop behaves a bit weird with this setup and I now have two icons for the encrypted partition on my Desktop. Annoying, but not a show-stopper. Also at one point I saw it automatically mount an USB key that had a LUKS password identical to my system password without a password prompt, but later on that stopped working. I'm not quite sure what happened.

Finally, here are some timings of common operations before and after I encrypted the home partition:

Operationbeforeafter
Boot (power on button to GDM prompt)24 s24 s
Login (enter key on GDM prompt to icons appearing on the desktop)5 s8 s
Firefox 3.5.15 fresh start after boot5 s6 s

Login takes a little longer. That is expected, as pam-mount takes a while to mount the partition and run fsck on it after password entry. That was previously done on boot and probably in parallel with some other process as boot time stayed the same.

Kernel compile timings:

$ time CONCURRENCY_LEVEL=2 fakeroot make-kpkg kernel_image

# before
real	112m43.709s
user	154m26.811s
sys	10m33.868s

# after
real	125m56.766s
user	153m23.283s
sys	10m16.099s

The difference in wall-clock time is around 10% - noticeable, but not really significant. What is puzzling here is that user and system times stayed approximately the same - I would expect the CPU time spent on encryption to be added to system time row.

Posted by Tomaž | Categories: Code

Add a new comment


(No HTML tags allowed. Separate paragraphs with a blank line.)