From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <alto.spam@laposte.net>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id IqCDBl3jPjnv for <dm-crypt@saout.de>;
 Mon, 19 Sep 2011 18:19:21 +0200 (CEST)
Received: from smtp.smtpout.orange.fr (smtp05.smtpout.orange.fr
 [80.12.242.127]) by mail.saout.de (Postfix) with ESMTP
 for <dm-crypt@saout.de>; Mon, 19 Sep 2011 18:19:21 +0200 (CEST)
Message-ID: <4E7769C7.5040805@laposte.net>
Date: Mon, 19 Sep 2011 18:11:51 +0200
From: Quentin Lefebvre <alto.spam@laposte.net>
MIME-Version: 1.0
References: <1316447158.7965.12.camel@zarniwoop> <1316448000.17657.3@mofo>
In-Reply-To: <1316448000.17657.3@mofo>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Subject: Re: [dm-crypt] Questions about LUKS / LVM
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On 19/09/2011 18:00, Karl O. Pinc wrote :
> On 09/19/2011 10:45:52 AM, Robbie Smith wrote:
> 
>> How much of a load on the system would LUKS + LVM be? Is it
>> likely to result in a noticeable drop in performance?
> 
> It all depends, but generally no because cpu is _so_ much
> faster than disk these days.

Indeed, you won't notice it on a modern computer, especially for every
day use. It may be painful for data transfer from one encrypted disk to
another encrypted disk, but you can expect very good rates anyway. It
depends on the cipher you use, on your machine, ...

>> Does entering the key(s) at boot decrypt the whole volume,
>> or just provide a means for the kernel module
>> to decrypt and encrypt on-the-fly?
> 
> The latter.
> 
>> And… how does it work? The documentation makes mention of multiple
>> key-slots; but I'm a little baffled as to how different keys can be
>> used to decrypt the same volume. It is based on symmetric
>> cryptography isn't it?
> 
> Yes, but the master key is encrypted by each key, separately, and 
> that's what your multiple passwords decrypt.
> 
> See the tks-1 paper (iirc) referenced on the wiki for more info.

This is important as it means your disk encryption is basically as
strong as your "weaker key slot". e.g. a very bad password for one key
slot make all other passwords/keys inefficient.

Thanks, Karl, for the link.

Best,
Quentin