# SSD + Geli, viable?



## tcn (Mar 3, 2013)

Hi,

  I have a 6 year old FreeBSD server that has come to have a badly corrupted encrypted filesystem (USB microdirves are probably failing; shame on me for putting my trust in those).

  I will be moving to a different hardware soon and I am thinking of installing FreeBSD on an eSATA SSD card.  I would like to keep my whole system encrypted (booting with a USB flashdrive).

  Is it a viable option to use an SSD for an encrypted filesystem?  Are there any drawbacks I should be aware of?


Thanks,

tcn


----------



## graudeejs (Mar 10, 2013)

You should first think about:

why you need encryption
will keep flash plugged in PC all the time?
Will you also use passphrase to encrypt drives
what happens after a sudden reboot
from who do you want to protect your data (can they take a box without unplugging it from electricity [forensics can])
etc

Personally I think, that for server encryption, if you keep flash plugged in, it is just a waste of resources. Even if you don't keep flash with keys in server, it's still pretty vulnerable.


----------



## tcn (Mar 11, 2013)

Hi graudeejs,

My system was already fully encrypted for the past six years.  As far as I am concerned, encryption by itself is fine with FreeBSD. Sudden reboots are extremely rare when you stay on the stable branch.

The boot-flash is not connected to the server.  Please note that this is a home server and thus only a few people are using it. I am a bit paranoid over my personal information.

If someone is to break in, I have my doubts on the fact that he or she will try to access the system on site. They will just take the box and move on. Encryption is to protect my sensitive data (tax reports as an example).

Without the USB key, the data on the drives is useless to anyone.

The question was more on the hardware of things in terms of wear of the flash.

tcn


----------



## vermaden (Mar 11, 2013)

tcn said:
			
		

> Is it a viable option to use an SSD for an encrypted filesystem?


I use ZFS on top of GELI encryption on SSD, works like a charm.



			
				tcn said:
			
		

> Are there any drawbacks I should be aware of?


Yep. If You have CPU with aesni(4) support, then You can use 256bit AES-XTS, but if You do not have in-CPU acceleration for encryption then use 128bit AES-CBC at most, otherwise You will have quite big performance hit without in-CPU instructions.


----------

