Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Merits 1 from 1 user
Re: FDE while running a node on SSD
by
ABCbits
on 29/03/2025, 09:14:22 UTC
⭐ Merited by vapourminer (1)
Quote from: takuma sato on March 28, 2025, 07:28:30 PM
Quote from: ABCbits on March 28, 2025, 08:34:13 AM
--snip--
What version of Debian is that screenshot from? I remember watching tutorials, and in no point in time they asked you about any specifics, or I saw any possibility to modify the specification details for the encryption procedure. I only remember two passwords. One that was for the root admin setting, and another for the actual encryption and it was set in a confusing way where you didn't really know what the passwords were doing, so hopefully they changed this, since im talking some years ago. Im just going to get Debian 12 iso and try for myself.

That StackExchange answer mentioned it's based on Debian buster, which mean Debian version 10 (ten). But i can confirm such option also exist on Debian 12 installer, although it's still very easy to miss such manual configuration.

Quote from: takuma sato on March 28, 2025, 07:28:30 PM
Im still asking what settings would be good to run a node at tho, since I want a security but also not blow up the drive from overdoing the encryption and then have it do heavy lifting with the node syncing process. If anyone is an expert in this field here perhaps you could recommend some better non-default settings?

I don't have good answer to your questions. But there are few things i can mention and suggest.
1. Run this command to know encrypt/decrypt speed on your device.

Code:
$ sudo cryptsetup benchmark
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1      2421653 iterations per second for 256-bit key
PBKDF2-sha256    4675924 iterations per second for 256-bit key
PBKDF2-sha512    2118335 iterations per second for 256-bit key
PBKDF2-ripemd160 1012138 iterations per second for 256-bit key
PBKDF2-whirlpool  823058 iterations per second for 256-bit key
argon2i       7 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
argon2id      8 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
#     Algorithm |       Key |      Encryption |      Decryption
        aes-cbc        128b      1306.0 MiB/s      3412.6 MiB/s
    serpent-cbc        128b       132.7 MiB/s       908.4 MiB/s
    twofish-cbc        128b       266.3 MiB/s       470.2 MiB/s
        aes-cbc        256b      1021.8 MiB/s      3320.1 MiB/s
    serpent-cbc        256b       137.9 MiB/s       910.7 MiB/s
    twofish-cbc        256b       272.5 MiB/s       470.3 MiB/s
        aes-xts        256b      3389.5 MiB/s      3343.4 MiB/s
    serpent-xts        256b       817.8 MiB/s       810.2 MiB/s
    twofish-xts        256b       453.8 MiB/s       453.9 MiB/s
        aes-xts        512b      3012.4 MiB/s      3017.8 MiB/s
    serpent-xts        512b       829.7 MiB/s       815.1 MiB/s
    twofish-xts        512b       453.4 MiB/s       456.6 MiB/s

2. Use longer password, to make brute-force become unpractical.
3. Read this very long FAQ, https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions.

But just like other people[1-2], i believe the default configuration is secure enough.

[1] https://security.stackexchange.com/a/131105
[2] https://security.stackexchange.com/a/39309