2019-05-10
Download and install VeraCrypt:
1 2 3 | apt-get install libfuse2 libfuse-dev makeself libwxbase3.0-0
wget https://launchpad.net/veracrypt/trunk/1.21/+download/veracrypt-1.21-raspbian-setup.tar.bz2
# unarchive, run install script and extract the veracrypt binary
|
or compile it from source:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | # save disk space by not installing all wxWidgets packages apt install make gcc pkg-config libfuse-dev wget https://launchpad.net/veracrypt/trunk/1.23/+download/VeraCrypt_1.23_Source.tar.bz2 wget https://github.com/wxWidgets/wxWidgets/releases/download/v3.0.4/wxWidgets-3.0.4.7z mkdir -p vc wx cd wx && 7za x ../wxWidgets-*.7z & cd .. cd vc && tar -xjf ../VeraCrypt_*_Source.tar.bz2 cd vc/src make NOGUI=1 WXSTATIC=1 WX_ROOT=/path/to/wx wxbuild make NOGUI=1 WXSTATIC=1 # or alternatively install wxWidgets packages apt install make gcc pkg-config libfuse-dev libwxgtk3.0 wget https://launchpad.net/veracrypt/trunk/1.23/+download/VeraCrypt_1.23_Source.tar.bz2 # unarchive, run make cp Main/veracrypt /usr/local/bin/ |
and apply my optional vc-mounter -headless
systemd service (on the raspberry it seems that the shutdown does NOT cleanly unmount the volumes, see the UPS post for a solution).
Note: Remember to use a kernel supported cypher grep name /proc/crypto
or you will get a Error allocating crypto tfm
on dmesg preventing the mount.
Alternatively you can use the option -m nokernelcrypto
with degraded performance.
You can test disk speed with these commands:
1 2 | dd if=/dev/zero of=/dev/mapper/xxx bs=1G count=1 oflag=dsync # throughput dd if=/dev/zero of=/dev/mapper/xxx bs=512 count=1000 oflag=dsync # latency |
this seems to make sense... but after some tests on the raspberry pi 3 I found that -m nokernelcrypto
is 3x faster than using kernel crypto services! :-O
For the sake of speed always remember to use a filesystem block size compatible with the device one1 (refer to man mkfs.xxxx
), for example:
1 2 | cat /sys/block/sdX/queue/physical_block_size # => 4096
mkfs.extX -E nodiscard -b 4096 /dev/sdaX
|
Notes for SSD drives:
Remember to disable
TRIM
2 operation via-m nokernelcrypto
switch (vc-mounter already does it) and use thenodiscard
mount option3.You can use WDE/FDE (whole/full disk encryption) on an SSD drive because it does NOT require space overprovisioning unless you have a
demanding workload
(especially one with many random writes). Note that if you still want to leave some unallocated space (to further reduce write amplification4) then it must be trimmed5 if it has been written to before, otherwise it will have no benefit as the drive will see that space as occupied.Comment any eventual fstrim usage in
/etc/cron.*
(find it withgrep -rin fstrim /etc
).The
util-linux
package providesfstrim.service
andfstrim.timer
systemd unit files: eventually disable enable them.
Source: VeraCrypt setup and homepage, wiki.archlinux, raspbian forum
-
Seagate overprovisioning
Use 20-25% of the capacity = real OP + dinamyc OP (unsed/trimmed space). ↩