Btrfs installation advices

Btrfs installation advices

[faurepierr]

Hi,

I'm curious about btrfs, and maybe considering it for my new laptop 
installation (a Lenovo T470).
I was going to install my usual lvm+ext4+full disk encryption setup, but 
thought I should maybe give a try to btrfs.


Is it possible to meet all these criteria?
- operating system: debian sid
- file system: btrfs
- disk encryption (or at least of sensitives partitions)
- hibernation feature (which implies a swap partition or file, and I've 
read btrfs is not a big fan of the latter)

If yes, how would you suggest me to achieve it?

Thanks for your kind help.

Re: Btrfs installation advices

[Rolf Wald]

[-- Attachment #1: Type: text/plain, Size: 2579 bytes --]

Hello,

some hints inside

Am 08.05.2018 um 02:22 schrieb faurepierr@gmail.com:
> Hi,
> 
> I'm curious about btrfs, and maybe considering it for my new laptop
> installation (a Lenovo T470).
> I was going to install my usual lvm+ext4+full disk encryption setup, but
> thought I should maybe give a try to btrfs.
> 
> 
> Is it possible to meet all these criteria?
> - operating system: debian sid
> - file system: btrfs
> - disk encryption (or at least of sensitives partitions)
> - hibernation feature (which implies a swap partition or file, and I've
> read btrfs is not a big fan of the latter)

A swap partition is not possible inside or with btrfs alone.

You can choose btrfs filesystem out of the box in debian install, but 
that would mean full-disk-encryption with lvm and btrfs. The extra layer 
lvm doesn't hurt, but you have two layers with many functions double, 
e.g. snapshotting, resize.

> 
> If yes, how would you suggest me to achieve it?

Yes, there is a solution, and it works for me now several years.
You need to build three partitions, e.g. named boot, swap, root. The 
sizes choose to your need. the boot partition remains unencrypted, but 
the other two partitions are encrypted with cryptsetup (luks) 
separately. Normally there are two passphrases to type in (and to 
remember), but there is an option in the cryptsetup scripts 
(/lib/cryptsetup/scripts) decrypt_derived, which could take the key from 
the root partition to decrypt the swap partition also. The filesystems 
then on the partitions are boot with ext(2,3,4), swap with swap and root 
with btrfs.
This configuration is not reachable with a standard debian installation. 
Debian always choose lvm if you want full encryption. You have to do the 
first steps manually: make partitions, cryptsetup(luks) for the 
partitions swap and root, and open the encrypted partitions manually. 
After that you can install your OS. The manual steps you have to make 
from a working distro, e.g. live system (disk or stick) with a recent 
kernel and recent btrfs-progs (debian sid is ok for this).
After the install of the OS you have to made the changes for a 
successful (re)boot manually. Please read the advices you can find in 
the net. There are some nice articles.

> 
> Thanks for your kind help.

-- 
Mit freundlichen Grüßen (kind regards) Rolf Wald
LUG-Balista Hamburg e.V., Germany
c/o Bürgerhaus Barmbek
Lorichsstr. 28a
22307 Hamburg
http://www.lug-hamburg.de
No HTML please
S/MIME signed email preferred, encryption wanted


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4308 bytes --]

Re: Btrfs installation advices

[Austin S. Hemmelgarn]

On 2018-05-08 03:50, Rolf Wald wrote:
> Hello,
> 
> some hints inside
> 
> Am 08.05.2018 um 02:22 schrieb faurepierr@gmail.com:
>> Hi,
>>
>> I'm curious about btrfs, and maybe considering it for my new laptop
>> installation (a Lenovo T470).
>> I was going to install my usual lvm+ext4+full disk encryption setup, but
>> thought I should maybe give a try to btrfs.
>>
>>
>> Is it possible to meet all these criteria?
>> - operating system: debian sid
>> - file system: btrfs
>> - disk encryption (or at least of sensitives partitions)
>> - hibernation feature (which implies a swap partition or file, and I've
>> read btrfs is not a big fan of the latter)
> 
> A swap partition is not possible inside or with btrfs alone.
> 
> You can choose btrfs filesystem out of the box in debian install, but 
> that would mean full-disk-encryption with lvm and btrfs. The extra layer 
> lvm doesn't hurt, but you have two layers with many functions double, 
> e.g. snapshotting, resize.
Um, this isn't really as much of an issue as you might think.  LVM has 
near zero overhead unless you're actually doing any of that stuff (as 
long as the LV is just a simple linear mapping, it has less than 1% more 
overhead than just using partitions).  The only real caveat here is to 
make _ABSOLUTELY CERTAIN_ that you _DO NOT_ make LVM snapshots of _ANY_ 
BTRFS volumes.  Doing so is a recipe for disaster, and will likely eat 
at least your data, and possibly your children.

The bigger issue is that dm-crypt generally slows down device access, 
which BTRFS is very sensitive to.  Using BTRFS with FDE works, but it's 
slow, so I would only suggest doing it with an SSD (and if you're using 
an SSD, you may be better off getting a TCG Opal compliant 
self-encrypting drive and just using the self-encryption functionality 
instead of FDE).
> 
>>
>> If yes, how would you suggest me to achieve it?
> 
> Yes, there is a solution, and it works for me now several years.
> You need to build three partitions, e.g. named boot, swap, root. The 
> sizes choose to your need. the boot partition remains unencrypted, but 
> the other two partitions are encrypted with cryptsetup (luks) 
> separately. Normally there are two passphrases to type in (and to 
> remember), but there is an option in the cryptsetup scripts 
> (/lib/cryptsetup/scripts) decrypt_derived, which could take the key from 
> the root partition to decrypt the swap partition also. The filesystems 
> then on the partitions are boot with ext(2,3,4), swap with swap and root 
> with btrfs.
> This configuration is not reachable with a standard debian installation. 
> Debian always choose lvm if you want full encryption. You have to do the 
> first steps manually: make partitions, cryptsetup(luks) for the 
> partitions swap and root, and open the encrypted partitions manually. 
> After that you can install your OS. The manual steps you have to make 
> from a working distro, e.g. live system (disk or stick) with a recent 
> kernel and recent btrfs-progs (debian sid is ok for this).
> After the install of the OS you have to made the changes for a 
> successful (re)boot manually. Please read the advices you can find in 
> the net. There are some nice articles.
> 
>>
>> Thanks for your kind help.
> 

Re: Btrfs installation advices

[faurepierr]

Thanks you two very much for your answers.

So if I sum up correctly, I could:

1- use Self-Encrypting Drive (SED), since my drive is a Samsung NVMe 960 
EVO, which is supposed to support SED according to 
http://www.samsung.com/semiconductor/minisite/ssd/support/faqs-nvmessd:
"*Do Samsung NVMe M.2 SSDs have hardware encryption?*
Samsung NVMe SSDs provide internal hardware encryption of all data 
stored on the SSD, including the operating system. Data is decrypted 
through a pre-boot authentication process.
Because all user data is encrypted, private information is protected 
against loss or theft.
Encryption is done by hardware, which provides a safer environment 
without sacrificing performance.

The encryption methods provided by each Samsung NVMe SSD are: AES 
(Advanced Encryption Standard, Class0 SED) TCG/OPAL, and eDrive

Please note that you cannot use more than one encryption method 
simultaneously.


*Do Samsung NVMe M.2 SSDs support TCG Opal?*
TCG Opal is supported by Samsung NVMe SSDs (960EVO / PRO and newer). It 
is an authentication method that employs the protocol specified by the 
Trusted Computing Group (TCG) meaning that you will need to install TCG 
software supplied by a TCG OPAL software development company.

User authentication is done by pre-boot authentication provided by the 
software. For more detailed information and instructions, please contact 
a TCG software company. In addition, TCG/opal can only be enabled / 
disabled by using special security software. "

For the moment, I don't know how to use that self-encryption from linux. 
Could you please give me some tips or links about how you did?

2- now that the full drive is self-encrypted, I can build manually the 
three partitions from a live system: boot with ext(2,3,4), swap with 
swap, and root with btrfs

3- and finally install debian sid in the dedicaced partitions.

Am I right? :)


Le 08/05/2018 à 13:32, Austin S. Hemmelgarn a écrit :
> On 2018-05-08 03:50, Rolf Wald wrote:
>> Hello,
>>
>> some hints inside
>>
>> Am 08.05.2018 um 02:22 schrieb faurepierr@gmail.com:
>>> Hi,
>>>
>>> I'm curious about btrfs, and maybe considering it for my new laptop
>>> installation (a Lenovo T470).
>>> I was going to install my usual lvm+ext4+full disk encryption setup, 
>>> but
>>> thought I should maybe give a try to btrfs.
>>>
>>>
>>> Is it possible to meet all these criteria?
>>> - operating system: debian sid
>>> - file system: btrfs
>>> - disk encryption (or at least of sensitives partitions)
>>> - hibernation feature (which implies a swap partition or file, and I've
>>> read btrfs is not a big fan of the latter)
>>
>> A swap partition is not possible inside or with btrfs alone.
>>
>> You can choose btrfs filesystem out of the box in debian install, but 
>> that would mean full-disk-encryption with lvm and btrfs. The extra 
>> layer lvm doesn't hurt, but you have two layers with many functions 
>> double, e.g. snapshotting, resize.
> Um, this isn't really as much of an issue as you might think.  LVM has 
> near zero overhead unless you're actually doing any of that stuff (as 
> long as the LV is just a simple linear mapping, it has less than 1% 
> more overhead than just using partitions).  The only real caveat here 
> is to make _ABSOLUTELY CERTAIN_ that you _DO NOT_ make LVM snapshots 
> of _ANY_ BTRFS volumes.  Doing so is a recipe for disaster, and will 
> likely eat at least your data, and possibly your children.
>
> The bigger issue is that dm-crypt generally slows down device access, 
> which BTRFS is very sensitive to.  Using BTRFS with FDE works, but 
> it's slow, so I would only suggest doing it with an SSD (and if you're 
> using an SSD, you may be better off getting a TCG Opal compliant 
> self-encrypting drive and just using the self-encryption functionality 
> instead of FDE).
>>
>>>
>>> If yes, how would you suggest me to achieve it?
>>
>> Yes, there is a solution, and it works for me now several years.
>> You need to build three partitions, e.g. named boot, swap, root. The 
>> sizes choose to your need. the boot partition remains unencrypted, 
>> but the other two partitions are encrypted with cryptsetup (luks) 
>> separately. Normally there are two passphrases to type in (and to 
>> remember), but there is an option in the cryptsetup scripts 
>> (/lib/cryptsetup/scripts) decrypt_derived, which could take the key 
>> from the root partition to decrypt the swap partition also. The 
>> filesystems then on the partitions are boot with ext(2,3,4), swap 
>> with swap and root with btrfs.
>> This configuration is not reachable with a standard debian 
>> installation. Debian always choose lvm if you want full encryption. 
>> You have to do the first steps manually: make partitions, 
>> cryptsetup(luks) for the partitions swap and root, and open the 
>> encrypted partitions manually. After that you can install your OS. 
>> The manual steps you have to make from a working distro, e.g. live 
>> system (disk or stick) with a recent kernel and recent btrfs-progs 
>> (debian sid is ok for this).
>> After the install of the OS you have to made the changes for a 
>> successful (re)boot manually. Please read the advices you can find in 
>> the net. There are some nice articles.
>>
>>>
>>> Thanks for your kind help.
>>
>

Re: Btrfs installation advices

[Niccolò Belli]

On martedì 8 maggio 2018 09:50:23 CEST, Rolf Wald wrote:
> You need to build three partitions, e.g. named boot, swap, root.

You don't need to use an unencrypted boot if you use grub:
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_.28GRUB.29

A few hints for btrfs + LUKS + swap:
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Btrfs_subvolumes_with_swap

Another solution is to use SED, as someone mentioned:
https://wiki.archlinux.org/index.php/Self-Encrypting_Drives

The only downside is that you can rest assured there will be NSA backdoors 
in hardware crypto.

Even better I suggest you to move to ZFS and use Native Encryption:
https://github.com/zfsonlinux/zfs/pull/5769

I recently got tired of btrfs never implementing things like snapshot-aware 
defrag (with no signs on the horizon that this is going to change soon) so 
I decided to switch my servers to ZFS. I'll let you know how crypto works 
if you're interested. I'll keep using btrfs on the clients though, at least 
for now.

Niccolò

Re: Btrfs installation advices

[Austin S. Hemmelgarn]

On 2018-05-12 21:58, faurepierr@gmail.com wrote:
> Thanks you two very much for your answers.
> 
> So if I sum up correctly, I could:
> 
> 1- use Self-Encrypting Drive (SED), since my drive is a Samsung NVMe 960 
> EVO, which is supposed to support SED according to 
> http://www.samsung.com/semiconductor/minisite/ssd/support/faqs-nvmessd:
> "*Do Samsung NVMe M.2 SSDs have hardware encryption?*
> Samsung NVMe SSDs provide internal hardware encryption of all data 
> stored on the SSD, including the operating system. Data is decrypted 
> through a pre-boot authentication process.
> Because all user data is encrypted, private information is protected 
> against loss or theft.
> Encryption is done by hardware, which provides a safer environment 
> without sacrificing performance.
> 
> The encryption methods provided by each Samsung NVMe SSD are: AES 
> (Advanced Encryption Standard, Class0 SED) TCG/OPAL, and eDrive
> 
> Please note that you cannot use more than one encryption method 
> simultaneously.
> 
> 
> *Do Samsung NVMe M.2 SSDs support TCG Opal?*
> TCG Opal is supported by Samsung NVMe SSDs (960EVO / PRO and newer). It 
> is an authentication method that employs the protocol specified by the 
> Trusted Computing Group (TCG) meaning that you will need to install TCG 
> software supplied by a TCG OPAL software development company.
> 
> User authentication is done by pre-boot authentication provided by the 
> software. For more detailed information and instructions, please contact 
> a TCG software company. In addition, TCG/opal can only be enabled / 
> disabled by using special security software. "
> 
> For the moment, I don't know how to use that self-encryption from linux. 
> Could you please give me some tips or links about how you did?
> 
> 2- now that the full drive is self-encrypted, I can build manually the 
> three partitions from a live system: boot with ext(2,3,4), swap with 
> swap, and root with btrfs
> 
> 3- and finally install debian sid in the dedicaced partitions.
> 
> Am I right? :)
Yes, that approach will work, assuming you trust Samsung (since they're 
the ones who wrote the code responsible for the encryption, and you 
can't inspect that code yourself).
> 
> 
> Le 08/05/2018 à 13:32, Austin S. Hemmelgarn a écrit :
>> On 2018-05-08 03:50, Rolf Wald wrote:
>>> Hello,
>>>
>>> some hints inside
>>>
>>> Am 08.05.2018 um 02:22 schrieb faurepierr@gmail.com:
>>>> Hi,
>>>>
>>>> I'm curious about btrfs, and maybe considering it for my new laptop
>>>> installation (a Lenovo T470).
>>>> I was going to install my usual lvm+ext4+full disk encryption setup, 
>>>> but
>>>> thought I should maybe give a try to btrfs.
>>>>
>>>>
>>>> Is it possible to meet all these criteria?
>>>> - operating system: debian sid
>>>> - file system: btrfs
>>>> - disk encryption (or at least of sensitives partitions)
>>>> - hibernation feature (which implies a swap partition or file, and I've
>>>> read btrfs is not a big fan of the latter)
>>>
>>> A swap partition is not possible inside or with btrfs alone.
>>>
>>> You can choose btrfs filesystem out of the box in debian install, but 
>>> that would mean full-disk-encryption with lvm and btrfs. The extra 
>>> layer lvm doesn't hurt, but you have two layers with many functions 
>>> double, e.g. snapshotting, resize.
>> Um, this isn't really as much of an issue as you might think.  LVM has 
>> near zero overhead unless you're actually doing any of that stuff (as 
>> long as the LV is just a simple linear mapping, it has less than 1% 
>> more overhead than just using partitions).  The only real caveat here 
>> is to make _ABSOLUTELY CERTAIN_ that you _DO NOT_ make LVM snapshots 
>> of _ANY_ BTRFS volumes.  Doing so is a recipe for disaster, and will 
>> likely eat at least your data, and possibly your children.
>>
>> The bigger issue is that dm-crypt generally slows down device access, 
>> which BTRFS is very sensitive to.  Using BTRFS with FDE works, but 
>> it's slow, so I would only suggest doing it with an SSD (and if you're 
>> using an SSD, you may be better off getting a TCG Opal compliant 
>> self-encrypting drive and just using the self-encryption functionality 
>> instead of FDE).
>>>
>>>>
>>>> If yes, how would you suggest me to achieve it?
>>>
>>> Yes, there is a solution, and it works for me now several years.
>>> You need to build three partitions, e.g. named boot, swap, root. The 
>>> sizes choose to your need. the boot partition remains unencrypted, 
>>> but the other two partitions are encrypted with cryptsetup (luks) 
>>> separately. Normally there are two passphrases to type in (and to 
>>> remember), but there is an option in the cryptsetup scripts 
>>> (/lib/cryptsetup/scripts) decrypt_derived, which could take the key 
>>> from the root partition to decrypt the swap partition also. The 
>>> filesystems then on the partitions are boot with ext(2,3,4), swap 
>>> with swap and root with btrfs.
>>> This configuration is not reachable with a standard debian 
>>> installation. Debian always choose lvm if you want full encryption. 
>>> You have to do the first steps manually: make partitions, 
>>> cryptsetup(luks) for the partitions swap and root, and open the 
>>> encrypted partitions manually. After that you can install your OS. 
>>> The manual steps you have to make from a working distro, e.g. live 
>>> system (disk or stick) with a recent kernel and recent btrfs-progs 
>>> (debian sid is ok for this).
>>> After the install of the OS you have to made the changes for a 
>>> successful (re)boot manually. Please read the advices you can find in 
>>> the net. There are some nice articles.
>>>
>>>>
>>>> Thanks for your kind help.
>>>
>>
> 
> -- 
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html