ToDo

Partition and encrypt disks

Install Ubuntu Netbook Remix

• Write image to USB and boot
• Start installer
• Switch to tty2 (Alt-F2)
• http://ubuntuforums.org/showthread.php?t=1128034

Partition

• cfdisk /dev/sda

Device	Flags	PType	FS	Size (MB)
sda1	boot	primary	83 Linux	254.99
sda2		primary	82 Swap	1793.12
sda3		primary	8e LVM	157991.18

Encrypt

• Setup wireless in live USB
• Choose cipher - see Crypto Benchmarks
• http://hightechsorcery.com/2008/08/linux-crypto-options-2624-and-later-kernels
• Blowfish twice as fast as AES

• Install lvm2 and cryptsetup

  apt-get install lvm2 cryptsetup

  modprobe dm-crypt

  modprobe blowfish

LVM

• Partition root PV
• vg-lvroot 1GB
• vg-lvusr 10GB
• vg-lvtmp 1.5GB
• vg-lvvar 1.5GB
• vg-lvhome 132GB (the rest)

Install

• Run installer
• Chose manually partition (advanced)
• Installed
• Added necessary modules to initramfs and regenerated
• Rebooted
• Synaptic update

Crypto Benchmarks

Method

# cryptsetup -c $CIPHER -k $KEYSIZE luksFormat /dev/sda2
# cryptsetup luksOpen /dev/sda2 crypt-test
# mkfs.ext4 /dev/mapper/crypt-test
# mount /dev/mapper/crypt-test ./test
# bonnie++ -f -d ./test -r 512 -s 1600 -n 0 -u root
# umount ./test
# cryptsetup luksClose crypt-test

Ciphers

• XTS requires keysize >= 256

  export CIPHER="aes-xts-essiv:sha256" ; export KEYSIZE=256 export CIPHER="twofish-xts-essiv:sha256" ; export KEYSIZE=256 export CIPHER="aes-cbc-essiv:sha256" ; export KEYSIZE=128 export CIPHER="twofish-cbc-essiv:sha256" ; export KEYSIZE=128

Results

null,1600M,,,65661,43,31120,26,,,63847,28,387.1,2,,,,,,,,,,,,,
aes128,1600M,,,22476,12,11872,6,,,24165,8,436.5,2,,,,,,,,,,,,,
aes256,1600M,,,21963,13,11911,7,,,23625,8,445.8,2,,,,,,,,,,,,,
twofish128,1600M,,,22000,13,11591,6,,,23720,7,440.0,2,,,,,,,,,,,,,
twofish256,1600M,,,20756,12,10702,6,,,20411,7,449.0,3,,,,,,,,,,,,,

• Choose aes256-xts-essiv since the major bottleneck seems to be the very use of crypto, not the cipher.

iptables

• Scripts installed to /etc/iptables
• Symlinks created in /etc/network/if-pre-up.d (not implemented in Ubuntu)

• Script created in /NetworkManager/dispatcher.d

  if [ -x /usr/bin/logger ]; then         LOGGER="/usr/bin/logger -s -p daemon.info -t FirewallHandler" else         LOGGER=echo fi

  case "$2" in         up)                 if [ ! -x /etc/iptables/iptables-start.sh ]; then                         ${LOGGER} "No script exists to set iptables rules."                         return                 fi                 ${LOGGER} "Restoring iptables rules"                 /etc/iptables/iptables-start.sh                 ;;         down)                 # /etc/iptables/iptables-stop.sh                 ;;         *)                 ;; esac

Log

2009-09-23

• Install UNR

2009-09-24

• Change hostname to Nixie

2010-04-20

• Disabled (unencrypted) swap on /dev/sda2

2013-10-25

• Installed iptables scripts