* Btrfs installation advices
@ 2018-05-08 0:22 faurepierr
2018-05-08 7:50 ` Rolf Wald
0 siblings, 1 reply; 6+ messages in thread
From: faurepierr @ 2018-05-08 0:22 UTC (permalink / raw)
To: linux-btrfs
Hi,
I'm curious about btrfs, and maybe considering it for my new laptop
installation (a Lenovo T470).
I was going to install my usual lvm+ext4+full disk encryption setup, but
thought I should maybe give a try to btrfs.
Is it possible to meet all these criteria?
- operating system: debian sid
- file system: btrfs
- disk encryption (or at least of sensitives partitions)
- hibernation feature (which implies a swap partition or file, and I've
read btrfs is not a big fan of the latter)
If yes, how would you suggest me to achieve it?
Thanks for your kind help.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Btrfs installation advices
2018-05-08 0:22 Btrfs installation advices faurepierr
@ 2018-05-08 7:50 ` Rolf Wald
2018-05-08 11:32 ` Austin S. Hemmelgarn
2018-05-13 11:55 ` Niccolò Belli
0 siblings, 2 replies; 6+ messages in thread
From: Rolf Wald @ 2018-05-08 7:50 UTC (permalink / raw)
To: faurepierr, linux-btrfs
[-- Attachment #1: Type: text/plain, Size: 2579 bytes --]
Hello,
some hints inside
Am 08.05.2018 um 02:22 schrieb faurepierr@gmail.com:
> Hi,
>
> I'm curious about btrfs, and maybe considering it for my new laptop
> installation (a Lenovo T470).
> I was going to install my usual lvm+ext4+full disk encryption setup, but
> thought I should maybe give a try to btrfs.
>
>
> Is it possible to meet all these criteria?
> - operating system: debian sid
> - file system: btrfs
> - disk encryption (or at least of sensitives partitions)
> - hibernation feature (which implies a swap partition or file, and I've
> read btrfs is not a big fan of the latter)
A swap partition is not possible inside or with btrfs alone.
You can choose btrfs filesystem out of the box in debian install, but
that would mean full-disk-encryption with lvm and btrfs. The extra layer
lvm doesn't hurt, but you have two layers with many functions double,
e.g. snapshotting, resize.
>
> If yes, how would you suggest me to achieve it?
Yes, there is a solution, and it works for me now several years.
You need to build three partitions, e.g. named boot, swap, root. The
sizes choose to your need. the boot partition remains unencrypted, but
the other two partitions are encrypted with cryptsetup (luks)
separately. Normally there are two passphrases to type in (and to
remember), but there is an option in the cryptsetup scripts
(/lib/cryptsetup/scripts) decrypt_derived, which could take the key from
the root partition to decrypt the swap partition also. The filesystems
then on the partitions are boot with ext(2,3,4), swap with swap and root
with btrfs.
This configuration is not reachable with a standard debian installation.
Debian always choose lvm if you want full encryption. You have to do the
first steps manually: make partitions, cryptsetup(luks) for the
partitions swap and root, and open the encrypted partitions manually.
After that you can install your OS. The manual steps you have to make
from a working distro, e.g. live system (disk or stick) with a recent
kernel and recent btrfs-progs (debian sid is ok for this).
After the install of the OS you have to made the changes for a
successful (re)boot manually. Please read the advices you can find in
the net. There are some nice articles.
>
> Thanks for your kind help.
--
Mit freundlichen Grüßen (kind regards) Rolf Wald
LUG-Balista Hamburg e.V., Germany
c/o Bürgerhaus Barmbek
Lorichsstr. 28a
22307 Hamburg
http://www.lug-hamburg.de
No HTML please
S/MIME signed email preferred, encryption wanted
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4308 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Btrfs installation advices
2018-05-08 7:50 ` Rolf Wald
@ 2018-05-08 11:32 ` Austin S. Hemmelgarn
2018-05-13 1:58 ` faurepierr
2018-05-13 11:55 ` Niccolò Belli
1 sibling, 1 reply; 6+ messages in thread
From: Austin S. Hemmelgarn @ 2018-05-08 11:32 UTC (permalink / raw)
To: Rolf Wald, faurepierr, linux-btrfs
On 2018-05-08 03:50, Rolf Wald wrote:
> Hello,
>
> some hints inside
>
> Am 08.05.2018 um 02:22 schrieb faurepierr@gmail.com:
>> Hi,
>>
>> I'm curious about btrfs, and maybe considering it for my new laptop
>> installation (a Lenovo T470).
>> I was going to install my usual lvm+ext4+full disk encryption setup, but
>> thought I should maybe give a try to btrfs.
>>
>>
>> Is it possible to meet all these criteria?
>> - operating system: debian sid
>> - file system: btrfs
>> - disk encryption (or at least of sensitives partitions)
>> - hibernation feature (which implies a swap partition or file, and I've
>> read btrfs is not a big fan of the latter)
>
> A swap partition is not possible inside or with btrfs alone.
>
> You can choose btrfs filesystem out of the box in debian install, but
> that would mean full-disk-encryption with lvm and btrfs. The extra layer
> lvm doesn't hurt, but you have two layers with many functions double,
> e.g. snapshotting, resize.
Um, this isn't really as much of an issue as you might think. LVM has
near zero overhead unless you're actually doing any of that stuff (as
long as the LV is just a simple linear mapping, it has less than 1% more
overhead than just using partitions). The only real caveat here is to
make _ABSOLUTELY CERTAIN_ that you _DO NOT_ make LVM snapshots of _ANY_
BTRFS volumes. Doing so is a recipe for disaster, and will likely eat
at least your data, and possibly your children.
The bigger issue is that dm-crypt generally slows down device access,
which BTRFS is very sensitive to. Using BTRFS with FDE works, but it's
slow, so I would only suggest doing it with an SSD (and if you're using
an SSD, you may be better off getting a TCG Opal compliant
self-encrypting drive and just using the self-encryption functionality
instead of FDE).
>
>>
>> If yes, how would you suggest me to achieve it?
>
> Yes, there is a solution, and it works for me now several years.
> You need to build three partitions, e.g. named boot, swap, root. The
> sizes choose to your need. the boot partition remains unencrypted, but
> the other two partitions are encrypted with cryptsetup (luks)
> separately. Normally there are two passphrases to type in (and to
> remember), but there is an option in the cryptsetup scripts
> (/lib/cryptsetup/scripts) decrypt_derived, which could take the key from
> the root partition to decrypt the swap partition also. The filesystems
> then on the partitions are boot with ext(2,3,4), swap with swap and root
> with btrfs.
> This configuration is not reachable with a standard debian installation.
> Debian always choose lvm if you want full encryption. You have to do the
> first steps manually: make partitions, cryptsetup(luks) for the
> partitions swap and root, and open the encrypted partitions manually.
> After that you can install your OS. The manual steps you have to make
> from a working distro, e.g. live system (disk or stick) with a recent
> kernel and recent btrfs-progs (debian sid is ok for this).
> After the install of the OS you have to made the changes for a
> successful (re)boot manually. Please read the advices you can find in
> the net. There are some nice articles.
>
>>
>> Thanks for your kind help.
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Btrfs installation advices
2018-05-08 11:32 ` Austin S. Hemmelgarn
@ 2018-05-13 1:58 ` faurepierr
2018-05-14 11:44 ` Austin S. Hemmelgarn
0 siblings, 1 reply; 6+ messages in thread
From: faurepierr @ 2018-05-13 1:58 UTC (permalink / raw)
To: linux-btrfs
Thanks you two very much for your answers.
So if I sum up correctly, I could:
1- use Self-Encrypting Drive (SED), since my drive is a Samsung NVMe 960
EVO, which is supposed to support SED according to
http://www.samsung.com/semiconductor/minisite/ssd/support/faqs-nvmessd:
"*Do Samsung NVMe M.2 SSDs have hardware encryption?*
Samsung NVMe SSDs provide internal hardware encryption of all data
stored on the SSD, including the operating system. Data is decrypted
through a pre-boot authentication process.
Because all user data is encrypted, private information is protected
against loss or theft.
Encryption is done by hardware, which provides a safer environment
without sacrificing performance.
The encryption methods provided by each Samsung NVMe SSD are: AES
(Advanced Encryption Standard, Class0 SED) TCG/OPAL, and eDrive
Please note that you cannot use more than one encryption method
simultaneously.
*Do Samsung NVMe M.2 SSDs support TCG Opal?*
TCG Opal is supported by Samsung NVMe SSDs (960EVO / PRO and newer). It
is an authentication method that employs the protocol specified by the
Trusted Computing Group (TCG) meaning that you will need to install TCG
software supplied by a TCG OPAL software development company.
User authentication is done by pre-boot authentication provided by the
software. For more detailed information and instructions, please contact
a TCG software company. In addition, TCG/opal can only be enabled /
disabled by using special security software. "
For the moment, I don't know how to use that self-encryption from linux.
Could you please give me some tips or links about how you did?
2- now that the full drive is self-encrypted, I can build manually the
three partitions from a live system: boot with ext(2,3,4), swap with
swap, and root with btrfs
3- and finally install debian sid in the dedicaced partitions.
Am I right? :)
Le 08/05/2018 à 13:32, Austin S. Hemmelgarn a écrit :
> On 2018-05-08 03:50, Rolf Wald wrote:
>> Hello,
>>
>> some hints inside
>>
>> Am 08.05.2018 um 02:22 schrieb faurepierr@gmail.com:
>>> Hi,
>>>
>>> I'm curious about btrfs, and maybe considering it for my new laptop
>>> installation (a Lenovo T470).
>>> I was going to install my usual lvm+ext4+full disk encryption setup,
>>> but
>>> thought I should maybe give a try to btrfs.
>>>
>>>
>>> Is it possible to meet all these criteria?
>>> - operating system: debian sid
>>> - file system: btrfs
>>> - disk encryption (or at least of sensitives partitions)
>>> - hibernation feature (which implies a swap partition or file, and I've
>>> read btrfs is not a big fan of the latter)
>>
>> A swap partition is not possible inside or with btrfs alone.
>>
>> You can choose btrfs filesystem out of the box in debian install, but
>> that would mean full-disk-encryption with lvm and btrfs. The extra
>> layer lvm doesn't hurt, but you have two layers with many functions
>> double, e.g. snapshotting, resize.
> Um, this isn't really as much of an issue as you might think. LVM has
> near zero overhead unless you're actually doing any of that stuff (as
> long as the LV is just a simple linear mapping, it has less than 1%
> more overhead than just using partitions). The only real caveat here
> is to make _ABSOLUTELY CERTAIN_ that you _DO NOT_ make LVM snapshots
> of _ANY_ BTRFS volumes. Doing so is a recipe for disaster, and will
> likely eat at least your data, and possibly your children.
>
> The bigger issue is that dm-crypt generally slows down device access,
> which BTRFS is very sensitive to. Using BTRFS with FDE works, but
> it's slow, so I would only suggest doing it with an SSD (and if you're
> using an SSD, you may be better off getting a TCG Opal compliant
> self-encrypting drive and just using the self-encryption functionality
> instead of FDE).
>>
>>>
>>> If yes, how would you suggest me to achieve it?
>>
>> Yes, there is a solution, and it works for me now several years.
>> You need to build three partitions, e.g. named boot, swap, root. The
>> sizes choose to your need. the boot partition remains unencrypted,
>> but the other two partitions are encrypted with cryptsetup (luks)
>> separately. Normally there are two passphrases to type in (and to
>> remember), but there is an option in the cryptsetup scripts
>> (/lib/cryptsetup/scripts) decrypt_derived, which could take the key
>> from the root partition to decrypt the swap partition also. The
>> filesystems then on the partitions are boot with ext(2,3,4), swap
>> with swap and root with btrfs.
>> This configuration is not reachable with a standard debian
>> installation. Debian always choose lvm if you want full encryption.
>> You have to do the first steps manually: make partitions,
>> cryptsetup(luks) for the partitions swap and root, and open the
>> encrypted partitions manually. After that you can install your OS.
>> The manual steps you have to make from a working distro, e.g. live
>> system (disk or stick) with a recent kernel and recent btrfs-progs
>> (debian sid is ok for this).
>> After the install of the OS you have to made the changes for a
>> successful (re)boot manually. Please read the advices you can find in
>> the net. There are some nice articles.
>>
>>>
>>> Thanks for your kind help.
>>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Btrfs installation advices
2018-05-08 7:50 ` Rolf Wald
2018-05-08 11:32 ` Austin S. Hemmelgarn
@ 2018-05-13 11:55 ` Niccolò Belli
1 sibling, 0 replies; 6+ messages in thread
From: Niccolò Belli @ 2018-05-13 11:55 UTC (permalink / raw)
To: Rolf Wald; +Cc: faurepierr, linux-btrfs
On martedì 8 maggio 2018 09:50:23 CEST, Rolf Wald wrote:
> You need to build three partitions, e.g. named boot, swap, root.
You don't need to use an unencrypted boot if you use grub:
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_.28GRUB.29
A few hints for btrfs + LUKS + swap:
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Btrfs_subvolumes_with_swap
Another solution is to use SED, as someone mentioned:
https://wiki.archlinux.org/index.php/Self-Encrypting_Drives
The only downside is that you can rest assured there will be NSA backdoors
in hardware crypto.
Even better I suggest you to move to ZFS and use Native Encryption:
https://github.com/zfsonlinux/zfs/pull/5769
I recently got tired of btrfs never implementing things like snapshot-aware
defrag (with no signs on the horizon that this is going to change soon) so
I decided to switch my servers to ZFS. I'll let you know how crypto works
if you're interested. I'll keep using btrfs on the clients though, at least
for now.
Niccolò
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Btrfs installation advices
2018-05-13 1:58 ` faurepierr
@ 2018-05-14 11:44 ` Austin S. Hemmelgarn
0 siblings, 0 replies; 6+ messages in thread
From: Austin S. Hemmelgarn @ 2018-05-14 11:44 UTC (permalink / raw)
To: faurepierr, linux-btrfs
On 2018-05-12 21:58, faurepierr@gmail.com wrote:
> Thanks you two very much for your answers.
>
> So if I sum up correctly, I could:
>
> 1- use Self-Encrypting Drive (SED), since my drive is a Samsung NVMe 960
> EVO, which is supposed to support SED according to
> http://www.samsung.com/semiconductor/minisite/ssd/support/faqs-nvmessd:
> "*Do Samsung NVMe M.2 SSDs have hardware encryption?*
> Samsung NVMe SSDs provide internal hardware encryption of all data
> stored on the SSD, including the operating system. Data is decrypted
> through a pre-boot authentication process.
> Because all user data is encrypted, private information is protected
> against loss or theft.
> Encryption is done by hardware, which provides a safer environment
> without sacrificing performance.
>
> The encryption methods provided by each Samsung NVMe SSD are: AES
> (Advanced Encryption Standard, Class0 SED) TCG/OPAL, and eDrive
>
> Please note that you cannot use more than one encryption method
> simultaneously.
>
>
> *Do Samsung NVMe M.2 SSDs support TCG Opal?*
> TCG Opal is supported by Samsung NVMe SSDs (960EVO / PRO and newer). It
> is an authentication method that employs the protocol specified by the
> Trusted Computing Group (TCG) meaning that you will need to install TCG
> software supplied by a TCG OPAL software development company.
>
> User authentication is done by pre-boot authentication provided by the
> software. For more detailed information and instructions, please contact
> a TCG software company. In addition, TCG/opal can only be enabled /
> disabled by using special security software. "
>
> For the moment, I don't know how to use that self-encryption from linux.
> Could you please give me some tips or links about how you did?
>
> 2- now that the full drive is self-encrypted, I can build manually the
> three partitions from a live system: boot with ext(2,3,4), swap with
> swap, and root with btrfs
>
> 3- and finally install debian sid in the dedicaced partitions.
>
> Am I right? :)
Yes, that approach will work, assuming you trust Samsung (since they're
the ones who wrote the code responsible for the encryption, and you
can't inspect that code yourself).
>
>
> Le 08/05/2018 à 13:32, Austin S. Hemmelgarn a écrit :
>> On 2018-05-08 03:50, Rolf Wald wrote:
>>> Hello,
>>>
>>> some hints inside
>>>
>>> Am 08.05.2018 um 02:22 schrieb faurepierr@gmail.com:
>>>> Hi,
>>>>
>>>> I'm curious about btrfs, and maybe considering it for my new laptop
>>>> installation (a Lenovo T470).
>>>> I was going to install my usual lvm+ext4+full disk encryption setup,
>>>> but
>>>> thought I should maybe give a try to btrfs.
>>>>
>>>>
>>>> Is it possible to meet all these criteria?
>>>> - operating system: debian sid
>>>> - file system: btrfs
>>>> - disk encryption (or at least of sensitives partitions)
>>>> - hibernation feature (which implies a swap partition or file, and I've
>>>> read btrfs is not a big fan of the latter)
>>>
>>> A swap partition is not possible inside or with btrfs alone.
>>>
>>> You can choose btrfs filesystem out of the box in debian install, but
>>> that would mean full-disk-encryption with lvm and btrfs. The extra
>>> layer lvm doesn't hurt, but you have two layers with many functions
>>> double, e.g. snapshotting, resize.
>> Um, this isn't really as much of an issue as you might think. LVM has
>> near zero overhead unless you're actually doing any of that stuff (as
>> long as the LV is just a simple linear mapping, it has less than 1%
>> more overhead than just using partitions). The only real caveat here
>> is to make _ABSOLUTELY CERTAIN_ that you _DO NOT_ make LVM snapshots
>> of _ANY_ BTRFS volumes. Doing so is a recipe for disaster, and will
>> likely eat at least your data, and possibly your children.
>>
>> The bigger issue is that dm-crypt generally slows down device access,
>> which BTRFS is very sensitive to. Using BTRFS with FDE works, but
>> it's slow, so I would only suggest doing it with an SSD (and if you're
>> using an SSD, you may be better off getting a TCG Opal compliant
>> self-encrypting drive and just using the self-encryption functionality
>> instead of FDE).
>>>
>>>>
>>>> If yes, how would you suggest me to achieve it?
>>>
>>> Yes, there is a solution, and it works for me now several years.
>>> You need to build three partitions, e.g. named boot, swap, root. The
>>> sizes choose to your need. the boot partition remains unencrypted,
>>> but the other two partitions are encrypted with cryptsetup (luks)
>>> separately. Normally there are two passphrases to type in (and to
>>> remember), but there is an option in the cryptsetup scripts
>>> (/lib/cryptsetup/scripts) decrypt_derived, which could take the key
>>> from the root partition to decrypt the swap partition also. The
>>> filesystems then on the partitions are boot with ext(2,3,4), swap
>>> with swap and root with btrfs.
>>> This configuration is not reachable with a standard debian
>>> installation. Debian always choose lvm if you want full encryption.
>>> You have to do the first steps manually: make partitions,
>>> cryptsetup(luks) for the partitions swap and root, and open the
>>> encrypted partitions manually. After that you can install your OS.
>>> The manual steps you have to make from a working distro, e.g. live
>>> system (disk or stick) with a recent kernel and recent btrfs-progs
>>> (debian sid is ok for this).
>>> After the install of the OS you have to made the changes for a
>>> successful (re)boot manually. Please read the advices you can find in
>>> the net. There are some nice articles.
>>>
>>>>
>>>> Thanks for your kind help.
>>>
>>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-05-14 11:44 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-08 0:22 Btrfs installation advices faurepierr
2018-05-08 7:50 ` Rolf Wald
2018-05-08 11:32 ` Austin S. Hemmelgarn
2018-05-13 1:58 ` faurepierr
2018-05-14 11:44 ` Austin S. Hemmelgarn
2018-05-13 11:55 ` Niccolò Belli
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.