6

I'm going to reinstall my system (Ubuntu) on a Samsung 840 pro SSD. This disk can do AES hardware encryption. I wonder what would be the drawbacks and/or advantages of taking this approach versus using LVM full disk encryption from these perspectives:

  • security: are these methods equivalent in term of security?
  • convenience: I'd like to avoid typing too many passwords.
  • recovery/compatibility: what if I have to take the disk and mount it in another computer to recover my data ?
Mimi
  • 5
alci
  • 137

3 Answers3

4
  • security: The drive offers AES. dm-crypt offers your own choice, if you're not satisfied with AES. Both can be erased very quickly by erasing the key.
  • convenience: both methods will prompt for a password once, at startup; although you could store the LUKS keyfile on an external device, e.g. a USB memory stick
    • with dm-crypt, you have the flexibility to only encrypt parts of your system, e.g. only the /home directory (when put on a separate partition)
  • recovery: if you forget the drive password, you're busted. For LUKS, you could (depending on the level paranoia you want to accept) have multiple copies of your key. Printed on a sheet of paper, if you want to. Or hidden inside a book. Or ...
    • Both are not dependent on the surrounding hardware, so your disk can be recovered even if the original laptop/PC dies.
  • performance: the device built-in encryption should be mostly transparent, so I assume almost no overhead. With dm-crypt, your CPU does the en-/decryption.
    • Also: In linux 3.1 and up, support for dm-crypt TRIM pass-through can be toggled upon device creation or mount with dmsetup. So you need to take some steps, but TRIM is supported.

To summarize: the built-in encryption is the fast (runtime and setup) and convenient option with no frills. dm-crypt/LuKS offer many more options and features, but is more time-consuming to set up and reduces performance somewhat.

Stefan Seidel
  • 10,855
3

Use the built-in AES.
Why?

  • It's powerful enough.
  • It supports TRIM and it's supported by the manufacturer.
  • You don't have to use a strong password as your Linux login pass.
  • As far as I know, you can use it in an other system.
Apache
  • 16,299
0

built in: + much faster + easier to set up - you have no idea about the implementation, might be superb, might be crap

dm-crypt: + slower - you can check the implementation yourself (theoretically anyway)

recovery - with dm crypt what ypu said works, with the build in it's unknown, theoretically if the bios passes the ata password unchanged it should work fine, otherwise...

user384816
  • 1