SSD + Geli, viable?

T

tcn

Hi,

I have a 6 year old FreeBSD server that has come to have a badly corrupted encrypted filesystem (USB microdirves are probably failing; shame on me for putting my trust in those).

I will be moving to a different hardware soon and I am thinking of installing FreeBSD on an eSATA SSD card. I would like to keep my whole system encrypted (booting with a USB flashdrive).

Is it a viable option to use an SSD for an encrypted filesystem? Are there any drawbacks I should be aware of?


Thanks,

tcn
 
You should first think about:
  • why you need encryption
  • will keep flash plugged in PC all the time?
  • Will you also use passphrase to encrypt drives
  • what happens after a sudden reboot
  • from who do you want to protect your data (can they take a box without unplugging it from electricity [forensics can])
etc

Personally I think, that for server encryption, if you keep flash plugged in, it is just a waste of resources. Even if you don't keep flash with keys in server, it's still pretty vulnerable.
 
Hi graudeejs,

My system was already fully encrypted for the past six years. As far as I am concerned, encryption by itself is fine with FreeBSD. Sudden reboots are extremely rare when you stay on the stable branch.

The boot-flash is not connected to the server. Please note that this is a home server and thus only a few people are using it. I am a bit paranoid over my personal information.

If someone is to break in, I have my doubts on the fact that he or she will try to access the system on site. They will just take the box and move on. Encryption is to protect my sensitive data (tax reports as an example).

Without the USB key, the data on the drives is useless to anyone.

The question was more on the hardware of things in terms of wear of the flash.

tcn
 
tcn said:
Is it a viable option to use an SSD for an encrypted filesystem?
Click to expand...
I use ZFS on top of GELI encryption on SSD, works like a charm.

tcn said:
Are there any drawbacks I should be aware of?
Click to expand...
Yep. If You have CPU with aesni(4) support, then You can use 256bit AES-XTS, but if You do not have in-CPU acceleration for encryption then use 128bit AES-CBC at most, otherwise You will have quite big performance hit without in-CPU instructions.
 
You must log in or register to reply here.
Back
Top