ext3 or ext4 ? Encrypt ?
Rick Stevens
ricks at nerd.com
Wed Aug 26 20:15:11 UTC 2009
Micros50 wrote:
> On Tue, 2009-08-25 at 09:59 -0700, Rick Stevens wrote:
>> Micros50 wrote:
>>> When doing a fresh install and making new partitions I was greeted with
>>> some new options that I had never seen before. namely the option to use
>>> the newer ext4 file system and, the option to encrypt a file system.
>>>
>>> In my case I decided to go with ext4 except for the/boot partition in
>>> which they recommended sticking with ext3. So far so good, no issues
>>> with using ext4. I also decided to encrypt two partitions. So far so
>>> good.
>>>
>>> Wonder if anyone else feels it's best to go with these new options or
>>> stick with the old options ?
>>>
>>> Whatever the choice I just want to make sure my system sticks
>>> together... :) Hah.
>> ext4 does give you some performance enhancements. It does have the same
>> caveat that ext3 has though, in that it's not built into the kernel by
>> default so it has to be in your initrd image when booting. Also, grub
>> does not grok ext4, though, which is why the /boot partition must be
>> ext2 or ext3.
>>
>> Encryption has been around quite a while. The only thing different here
>> is that it's offered as part of Anaconda's setup. It is purely
>> optional and IMHO rather useless except on removable media.
>>
>> It introduces a performance hit (albeit minor) that will slow down
>> access to encrypted filesystems and puts a bit more load on the CPU.
>> For those reasons, I wouldn't use it on filesystems that are used for
>> high I/O (e.g. a database or the destination of a video encoder).
>>
>> The fact you have to enter the passphrase for it when mounting makes
>> it difficult to use for remotely managed machines (e.g. servers in a
>> data center somewhere) and it really doesn't offer much security. If
>> someone cracks into your system while it's mounted, it's a moot point.
>>
>> If you want to encrypt a filesystem on removable media (e.g. a FLASH
>> drive, USB or firewire drive), then it can make some sense, but not
>> otherwise.
>>
>> That's just my opinion. I could be wrong.
>
> So, in other words on a hard disk that is installed in the system itself
> encrypting the disc accomplishes little, unless of course someone were
> to physically steal the computer or, steal the drive itself.
Yes, that's my take on it. As you say below, once it's mounted the
encryption is transparent. If someone cracks into your system, the data
is no more protected than if it were unencrypted. And if someone can
physically steal the system or open it and take the drive, you have
other security issues you should address first! :-)
Now, if you keep personal data (passwords, account numbers, etc.) on a
FLASH key as I do, yes, I have it encrypted. In fact, my passwords and
such are in a KeyPassX database on that encrypted FLASH key and the
database itself requires a passphrase, so essentially it's double-
encrypted! Welcome to the Department of Redundancy Department.
> Nonetheless, I did, perhaps foolishly, encrypt a couple of my partitions
> just to see if it does work and/or if there are any bizarre issues. Thus
> far, other than having to answer a password, the encryption is more or
> less transparent, i.e. everything works as normal. However, on my next
> install/upgrade, I might just opt to go without the encryption. Of
> course it depends on whether or not I'm in a cryptic mood. Hah hah. :)
Heheheh! There's nothing foolish about it. If you don't know just what
the encryption stuff is, nothing's better than experimentation.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks at nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- Huked on foniks reely wurked for me! -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list