Google
  Web www.spinics.net

Re: ext3 or ext4 ? Encrypt ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Micros50 wrote:
On Tue, 2009-08-25 at 09:59 -0700, Rick Stevens wrote:
Micros50 wrote:
When doing a fresh install and making new partitions I was greeted with
some new options that I had never seen before. namely the option to use
the newer ext4 file system and, the option to encrypt a file system.

In my case I decided to go with ext4 except for the/boot partition in
which they recommended sticking with ext3.  So far so good, no issues
with using ext4.  I also decided to encrypt two partitions. So far so
good.

Wonder if anyone else feels it's best to go with these new options or
stick with the old options ?

Whatever the choice I just want to make sure my system sticks
together... :) Hah.
ext4 does give you some performance enhancements.  It does have the same
caveat that ext3 has though, in that it's not built into the kernel by
default so it has to be in your initrd image when booting.  Also, grub
does not grok ext4, though, which is why the /boot partition must be
ext2 or ext3.

Encryption has been around quite a while.  The only thing different here
is that it's offered as part of Anaconda's setup.  It is purely
optional and IMHO rather useless except on removable media.

It introduces a performance hit (albeit minor) that will slow down
access to encrypted filesystems and puts a bit more load on the CPU.
For those reasons, I wouldn't use it on filesystems that are used for
high I/O (e.g. a database or the destination of a video encoder).

The fact you have to enter the passphrase for it when mounting makes
it difficult to use for remotely managed machines (e.g. servers in a
data center somewhere) and it really doesn't offer much security.  If
someone cracks into your system while it's mounted, it's a moot point.

If you want to encrypt a filesystem on removable media (e.g. a FLASH
drive, USB or firewire drive), then it can make some sense, but not
otherwise.

That's just my opinion.  I could be wrong.

So, in other words on a hard disk that is installed in the system itself
encrypting the disc accomplishes little, unless of course someone were
to physically steal the computer or, steal the drive itself.

Yes, that's my take on it. As you say below, once it's mounted the encryption is transparent. If someone cracks into your system, the data
is no more protected than if it were unencrypted.  And if someone can
physically steal the system or open it and take the drive, you have
other security issues you should address first!  :-)

Now, if you keep personal data (passwords, account numbers, etc.) on a
FLASH key as I do, yes, I have it encrypted.  In fact, my passwords and
such are in a KeyPassX database on that encrypted FLASH key and the
database itself requires a passphrase, so essentially it's double-
encrypted!  Welcome to the Department of Redundancy Department.

Nonetheless, I did, perhaps foolishly, encrypt a couple of my partitions
just to see if it does work and/or if there are any bizarre issues. Thus
far, other than having to answer a password, the encryption is more or
less transparent, i.e. everything works as normal. However, on my next
install/upgrade, I might just opt to go without the encryption. Of
course it depends on whether or not I'm in a cryptic mood. Hah hah. :)

Heheheh!  There's nothing foolish about it.  If you don't know just what
the encryption stuff is, nothing's better than experimentation.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks@xxxxxxxx -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-                Huked on foniks reely wurked for me!                -
----------------------------------------------------------------------

_______________________________________________
Redhat-install-list mailing list
Redhat-install-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@xxxxxxxxxx
Subject: unsubscribe

[Red Hat Kickstart]     [Fedora Users]     [Red Hat General]     [Red Hat Development]     [Samba]     [Kernel]     [Kernel Newbies]     [Hot Springs]     [Yosemite News]

Powered by Linux