Thursday, October 5, 2017

Encrypted /home Volumes

On my laptops and workstations, I keep my /home volume encrypted using LUKS (Linux Unified Key Setup).  This is the sort of thing that you should do, regardless of your operating system.  I set up my systems to carry a separate /home volume from the rest of the filesystem.  I leave everything else on the system on unencrypted volumes because I see no value in keeping executables, libraries, and system configuration files encrypted.  For configuration files I do care about, I put them in /home/etc and link them back to the expected path.

Recently I upgraded the kernel on my laptop to a newer version.  I build and install my own kernels because I'm a Linux greybeard and that's what I've always done.  I also like to stay moderately up to date on happenings in the kernel.  I used to read LKML, but I just don't have the time anymore.

When I build a new kernel, I start with the configuration file for the one I am currently running.  I do make olddefconfig and then run make menuconfig to look through any new things.  Occasionally this process will cause existing configuration options to be lost.  The defconfig step isn't flawless, but that's ok.

My recent upgrade had this happen specifically with regard to the AES-NI modules in the kernel.  Intel processors come with CPU instructions for AES encryption functionality and software using these instructions significantly speeds up encryption operations.  It's instructions like this that help LUKS volume encryption work transparently and not impact overall system performance.  If you lack these instructions, the kernel will continue to function for LUKS support just fine, but you will notice things move more slowly.

When I rebooted and entered my passphrase to unlock /home, the system just waited.  And waited and waited and waited.  I had never had this happen to me before, so my first thought was the filesystem was damaged or the LUKS header was damaged or something like that.  I was able to boot from USB media and unlock everything and ultimately tracked it down to the missing AES-NI modules.

So, today's lesson is when using LUKS volume encryption on Linux on an x86_64 system, you want CONFIG_CRYPTO_AES_NI_INTEL set to either y or m depending on how you run your system.  Setting this option in the kernel config will bring in more things, but that's fine.

No comments: