First of all, dm-crypt is a device mapper in Linux kernel to provide an encrypted disk. eCryptfs is a stacked, or layered filesystem on top of other fs to provide an encrypted view.
dm-crypt To use dm-crypt, it is better using cryptsetup tool instead of the original dmsetup for device mapper. In a Ubuntu box, you need to install it and a hashalot tool first:
sudo apt-get install cryptsetup hashalot
Then modprobe dm-crypt to load the kernel module. To use a device, say /dev/sdb1, we create a mapper like this(su to root to avoid sudo):
cryptsetup -c [cipher-string] -b `blockdev --getsize /dev/sdb1` -h ripemd160 create mapper1 /dev/sdb1
You can find more information in man cryptsetup, here -c specify the cipher in the format of: --, e.g. aes-cbc-plain will use AES algorithm in CBC cipher mode and a 'plain' IV generator. -h ripemd160 specify the hash method to get keys from your passphrase, which will be asked for by the cryptsetup command above. This command create a mapper under /dev/mapper called mapper1. Then you can treat it as a hard drive and mount it, or create a fs first.
Current dm-crypt doesn't allow ECB mode, however, you can easily find the code preventing ECB in /drivers/md/dm-crypt.c and comment it.
dm-crypt To use dm-crypt, it is better using cryptsetup tool instead of the original dmsetup for device mapper. In a Ubuntu box, you need to install it and a hashalot tool first:
sudo apt-get install cryptsetup hashalot
Then modprobe dm-crypt to load the kernel module. To use a device, say /dev/sdb1, we create a mapper like this(su to root to avoid sudo):
cryptsetup -c [cipher-string] -b `blockdev --getsize /dev/sdb1` -h ripemd160 create mapper1 /dev/sdb1
You can find more information in man cryptsetup, here -c specify the cipher in the format of: --, e.g. aes-cbc-plain will use AES algorithm in CBC cipher mode and a 'plain' IV generator. -h ripemd160 specify the hash method to get keys from your passphrase, which will be asked for by the cryptsetup command above. This command create a mapper under /dev/mapper called mapper1. Then you can treat it as a hard drive and mount it, or create a fs first.
Current dm-crypt doesn't allow ECB mode, however, you can easily find the code preventing ECB in /drivers/md/dm-crypt.c and comment it.
To delete it,
cryptsetup remove mapper1
eCryptfs is simpler, just get any empty folder, say /home/name/data, and do a mount:
mount -t ecryptfs /home/name/data /home/name/data
This will hide /home/name/data with the encrypted view provided by eCryptfs. The mount will ask you for some questions, just answer them as you like. Oh, don't forget to modporbe ecryptfs for the kernel module.
Now you might want to measure the performance. Every benchmark has its own features, but one important thing is to clear the page cache before read:
echo 3 > /proc/sys/vm/drop_caches
By the way, both of them work well with KGPU's AES cipher with a little change.
eCryptfs is simpler, just get any empty folder, say /home/name/data, and do a mount:
mount -t ecryptfs /home/name/data /home/name/data
This will hide /home/name/data with the encrypted view provided by eCryptfs. The mount will ask you for some questions, just answer them as you like. Oh, don't forget to modporbe ecryptfs for the kernel module.
Now you might want to measure the performance. Every benchmark has its own features, but one important thing is to clear the page cache before read:
echo 3 > /proc/sys/vm/drop_caches
By the way, both of them work well with KGPU's AES cipher with a little change.
More tips:
OK, more about RAID:
To setup a RAID6 with 10 disks and 128KB chunk using RAMDisks:
mdadm --create /dev/md0 /dev/ram[0-9] -n 10 -l 6 --chunk=128
To set a faulty:
mdadm --manage --set-faulty /dev/md0 /dev/ramX
To remove it:
mdadm --stop /dev/md0
And about dd:
Using [i/o]flag=direct to test real disk performance.
No comments:
Post a Comment