meta data for this page
This is an old revision of the document!
Encrypted FS
Encrypted partition
apt-get install cryptsetup-bin
Enable HW acceleration. Which is a bit slower than software :P
NOTE: From Kernel 4.2 cesa driver was completely rewritten to support DMA, and old mv_cesa driver was removed in kernel 4.15
modprobe mv_cesa cat /proc/crypto | grep mv_cesa -B 2 -A 7
Is providing only:
- hmac(sha1)
- sha1
- cbc(aes)
- ecb(aes)
There are also additional kernel modules optimised for ARM:
- sha1_arm
- aes_arm
cryptsetup benchmark
| Algorithm | Key | Encryption | Decryption | accel |
|---|---|---|---|---|
| aes-cbc | 128b | 12.8 MiB/s | 13.4 MiB/s | |
| 13.4 MiB/s | 14.1 MiB/s | arm | ||
| 19.7 MiB/s | 20.2 MiB/s | mv_cesa | ||
| serpent-cbc | 128b | 11.1 MiB/s | 11.6 MiB/s | |
| twofish-cbc | 128b | 13.0 MiB/s | 13.4 MiB/s | |
| aes-cbc | 256b | 10.1 MiB/s | 10.5 MiB/s | |
| 11.0 MiB/s | 11.4 MiB/s | arm | ||
| 18.9 MiB/s | 19.2 MiB/s | mv_cesa | ||
| serpent-cbc | 256b | 11.1 MiB/s | 11.6 MiB/s | |
| twofish-cbc | 256b | 13.0 MiB/s | 13.4 MiB/s | |
| aes-xts | 256b | 13.1 MiB/s | 13.3 MiB/s | |
| 14.6 MiB/s | 14.7 MiB/s | arm | ||
| serpent-xts | 256b | 11.5 MiB/s | 11.6 MiB/s | |
| twofish-xts | 256b | 13.4 MiB/s | 13.2 MiB/s | |
| aes-xts | 512b | 10.2 MiB/s | 10.4 MiB/s | |
| 11.4 MiB/s | 11.8 MiB/s | arm | ||
| serpent-xts | 512b | 11.5 MiB/s | 11.6 MiB/s | |
| twofish-xts | 512b | 13.4 MiB/s | 13.2 MiB/s |
Ciphers benchmark
Each cipher was tested with following steps:
- luksFormat /dev/sda5
- luksOpen /dev/sda5 sda5
- benchmarks described in table below on /dev/mapper/sda5
- create ext4fs on /dev/mapper/sda5
- the same benchmarks but on mounted ext4 (writing/reading from file).
| test | command line | description |
|---|---|---|
| hdparm | hdparm -t /dev/… | Buffered read test |
| WR | dd bs=16M count=128 | Normal buffered transfer, but with sync before exit |
| WR S | ||
| WR DS | ||
| RD |
REMARKS:
- For XTS, only half of key is used, so for 128b cipher I need to specify -s 256.
- Ext4 by default was created with lazy_init, to speed up creation process, but it can make impact on tests.
- Before each test, flush by sync && echo 3 > …/drop_caches was issued.
| 128b key | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Block device | EXT4 | ||||||||||||
| acc | hdparm | WR | WR S | WR DS | RD | WR | WR S | WR DS | RD | ||||
| cbc-plain | HW | 8.82 | 7.0 | 6.1 | 7.3 | 9.2 | 8.0 | 5.5 | 5.8 | 9.3 | |||
| SW | 11.80 | 8.2 | 7.4 | 8.7 | 12.40 | 9.5 | 6.2 | 6.4 | 12.40 | ||||
| ARM | 12.76 | 8.9 | 7.2 | 9.2 | 13.60 | 10.2 | 6.4 | 6.4 | 13.60 | * | |||
| cbc-plain64 | HW | 8.79 | 6.9 | 6.1 | 7.5 | 9.2 | 7.9 | 5.3 | 5.6 | 9.0 | |||
| SW | 11.83 | 8.2 | 7.4 | 9.2 | 12.40 | 9.5 | 6.2 | 6.6 | 12.40 | ||||
| ARM | 12.73 | 8.9 | 7.2 | 9.3 | 13.60 | 10.2 | 6.2 | 6.1 | 13.60 | * | |||
| cbc-essiv :sha256 | HW | 7.7 | 6.2 | 5.5 | 6.9 | 8.1 | 7.2 | 5.2 | 5.2 | 8.1 | |||
| SW | 9.7 | 7.8 | 6.9 | 8.7 | 11.40 | 9.1 | 6.2 | 6.5 | 11.40 | ||||
| ARM | 12.36 | 8.7 | 7.0 | 9.1 | 13.20 | 9.9 | 6.3 | 6.2 | 13.20 | * | |||
| xts-plain | SW | 11.29 | 8.2 | 7.4 | 8.7 | 11.80 | 9.5 | 6.1 | 6.5 | 11.90 | |||
| ARM | 12.79 | 9.3 | 7.5 | 10.1 | 13.60 | 10.6 | 6.3 | 5.9 | 13.70 | * | |||
| xts-plain64 | SW | 11.27 | 8.2 | 7.4 | 8.7 | 11.80 | 9.5 | 6.2 | 6.5 | 11.70 | |||
| ARM | 12.84 | 9.3 | 7.5 | 10.2 | 13.70 | 10.6 | 6.4 | 6.1 | 13.70 | * | |||
| xts-essiv :sha256 | SW | 10.30 | 7.9 | 7.2 | 8.7 | 11.10 | 9.1 | 6.1 | 6.5 | 11.10 | |||
| ARM | 12.40 | 9.1 | 7.5 | 9.3 | 13.20 | 10.4 | 6.3 | 6.1 | 13.30 | * | |||
| 256b key | |||||||||||||
| Block device | EXT4 | ||||||||||||
| acc | hdparm | WR | WR S | WR DS | RD | WR | WR S | WR DS | RD | ||||
| cbc-plain | HW | 8.43 | 6.7 | 6.1 | 7.5 | 8.9 | 7.7 | 5.5 | 5.7 | 8.9 | |||
| SW | 9.17 | 6.7 | 6.1 | 7.4 | 9.6 | 7.7 | 5.5 | 5.8 | 9.6 | ||||
| ARM | 10.32 | 7.6 | 6.3 | 7.9 | 10.80 | 8.5 | 5.5 | 6.0 | 10.80 | * | |||
| cbc-plain64 | HW | 8.44 | 6.7 | 6.1 | 7.5 | 8.9 | 7.7 | 5.5 | 5.7 | 8.8 | |||
| SW | 9.15 | 6.8 | 6.1 | 7.5 | 9.5 | 7.6 | 5.5 | 5.8 | 9.7 | ||||
| ARM | 10.24 | 7.6 | 6.2 | 7.8 | 10.70 | 8.4 | 5.1 | 5.5 | 10.00 | * | |||
| cbc-essiv :sha256 | HW | 7.47 | 6.0 | 5.5 | 6.5 | 7.8 | 6.9 | 5.0 | 5.2 | 7.8 | |||
| SW | 8.59 | 6.7 | 6.1 | 7.5 | 9.0 | 7.5 | 5.3 | 5.5 | 8.9 | ||||
| ARM | 9.83 | 7.5 | 6.2 | 7.9 | 10.50 | 8.3 | 5.5 | 5.7 | 10.60 | * | |||
| xts-plain | SW | 8.70 | 6.8 | 6.1 | 7.5 | 9.1 | 7.6 | 5.5 | 5.6 | 9.2 | |||
| ARM | 10.09 | 7.9 | 6.6 | 8.5 | 10.7 | 8.8 | 5.2 | 5.6 | 10.80 | * | |||
| xts-plain64 | SW | 8.70 | 6.8 | 6.1 | 7.5 | 9.2 | 7.6 | 5.5 | 5.6 | 9.2 | |||
| ARM | 10.14 | 7.9 | 6.6 | 8.4 | 10.80 | 8.8 | 5.4 | 5.7 | 10.80 | * | |||
| xts-essiv :sha256 | SW | 8.37 | 6.7 | 6.1 | 7.0 | 8.8 | 7.3 | 5.1 | 5.4 | 8.4 | |||
| ARM | 9.94 | 7.7 | 6.3 | 7.9 | 10.40 | 8.5 | 4.9 | 5.2 | 9.7 | ||||
| without encryption | |||||||||||||
| Block device | EXT4 | ||||||||||||
| acc | hdparm | WR | WR S | WR DS | RD | WR | WR S | WR DS | RD | ||||
| /dev/sda5 | 137 | 91 | 33.7 | 51.7 | 149 | 69 | 13 | 15 | 149 | ||||
file copy benchmark
Copy using dd if=src_file of=dst_file conv=fsync
“It will synchronize output data and metadata just before finishing”
| 128b key | ||||
|---|---|---|---|---|
| acc | WR S | RD | ||
| aes-cbc-plain64 | HW | 5.8 | 8.1 | |
| SW | 6.4 | 10.60 | ||
| ARM | 6.8 | 12.00 | * | |
| twofish-cbc-plain64 | SW | 6.5 | 10.60 | |
| aes-cbc-essiv:sha256 | HW | 5.4 | 7.1 | |
| SW | 6.3 | 10.30 | ||
| ARM | 6.6 | 11.10 | ||
| twofish-cbc-essiv:sha256 | SW | 6.5 | 10.70 | |
| aes-xts-plain64 | SW | 6.4 | 10.20 | |
| ARM | 7.0 | 12.10 | * | |
| twofish-xts-plain64 | SW | 6.6 | 11.00 | |
| twofish-xts-essiv:sha256 | SW | 6.4 | 10.50 | |
| 256b key | ||||
| acc | WR S | RD | ||
| aes-cbc-plain64 | HW | 5.8 | 8.3 | |
| SW | 5.5 | 8.4 | ||
| ARM | 5.9 | 9.5 | * | |
| twofish-cbc-plain64 | SW | 6.6 | 11.00 | * |
| aes-cbc-essiv:sha256 | HW | 5.5 | 7.3 | |
| SW | 5.4 | 8.0 | ||
| ARM | 5.9 | 9.6 | * | |
| twofish-cbc-essiv:sha256 | SW | 6.5 | 10.70 | * |
| aes-xts-plain64 | SW | 5.5 | 8.2 | |
| ARM | 6.1 | 9.4 | * | |
| twofish-xts-plain64 | SW | 6.6 | 10.90 | * |
| twofish-xts-essiv:sha256 | SW | 6.3 | 10.10 | * |
loaded CPU benchmark
Comparison SW & HW with loaded system
stress -v -c 1
| Block device | EXT4 | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| acc | hdparm | WR | WR S | WR DS | RD | WR | WR S | WR DS | RD | ||||
| cbc-plain-128 | HW | 4.71 | 3.9 | 3.6 | 3.8 | 4.9 | 4.1 | 3.2 | 3.4 | 4.9 | |||
| SW | 6.13 | 4.4 | 3.9 | 5.3 | 6.5 | 5.0 | 4.0 | 4.0 | 6.4 | ||||
| ARM | 6.64 | 4.8 | 4.2 | 5.4 | 7.0 | 5.3 | 4.0 | 4.2 | 7.0 | * | |||
| cbc-plain-256 | HW | 4.68 | 3.8 | 3.4 | 3.9 | 4.9 | 4.0 | 3.2 | 3.2 | 4.9 | |||
| SW | 4.73 | 3.6 | 3.4 | 4.0 | 5.0 | 4.0 | 3.2 | 3.3 | 5.0 | ||||
| ARM | 5.31 | 4.1 | 3.6 | 4.4 | 5.6 | 4.4 | 3.4 | 3.6 | 5.6 | ||||
Twofish cipher
(SW only)
| Block device | EXT4 | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| key | hdparm | WR | WR S | WR DS | RD | WR | WR S | WR DS | RD | |||
| cbc-plain | 128 | 11.80 | 8.4 | 7.4 | 9.5 | 12.4 | 9.6 | 6.0 | 6.1 | 11.5 | ||
| cbc-essiv:sha256 | 128 | 11.35 | 8.2 | 7.4 | 8.7 | 11.9 | 9.5 | 6.2 | 6.5 | 11.9 | ||
| xts-plain | 128 | 11.61 | 8.4 | 7.4 | 9.4 | 12.2 | 9.5 | 6.2 | 6.6 | 12.3 | ||
| xts-essiv:sha256 | 128 | 11.06 | 8.0 | 7.4 | 8.7 | 11.6 | 9.1 | 6.2 | 6.5 | 11.7 | ||
| cbc-plain | 256 | 11.82 | 8.4 | 7.4 | 9.5 | 12.4 | 9.7 | 6.5 | 6.6 | 12.4 | ||
| cbc-essiv:sha256 | 256 | 11.34 | 8.2 | 7.4 | 8.7 | 11.9 | 9.5 | 6.2 | 6.6 | 12.0 | ||
| xts-plain | 256 | 11.64 | 8.4 | 7.4 | 9.4 | 12.2 | 9.6 | 6.2 | 6.6 | 12.3 | ||
| xts-essiv:sha256 | 256 | 11.04 | 8.0 | 7.4 | 8.7 | 11.6 | 9.3 | 6.2 | 6.5 | 11.7 | ||
SSH performance
Enable low complexity ciphers if device is used locally.
ssh -Q cipher localhost | paste -d , -s
- /etc/ssh/sshd_config
# enable all ciphers! # obtained with ssh -Q cipher localhost | paste -d , -s Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
| cmd | performance | time |
|---|---|---|
| (default) | 3.1MB/s | |
| 3des-cbc | 1.2MB/s | 1m28 |
| blowfish-cbc | 3.3MB/s | 0m30 |
| cast128-cbc | 2.9MB/s | 0m34 |
| arcfour | 4.2MB/s | 0m24 |
| arcfour128 | -- | -- | |
| arcfour256 | 4.6MB/s | 0m22 |
| aes128-cbc | 2.8MB/s | 0m37 |
| aes192-cbc | 2.9MB/s | 0m34 |
| aes256-cbc | 2.5MB/s | 0m40 |
| rijndael-cbc@lysator.liu.se | 2.8MB/s | 0m36 |
| aes128-ctr | 2.9MB/s | 0m35 |
| aes192-ctr | 2.9MB/s | 0m35 |
| aes256-ctr | 2.9MB/s | 0m40 |
| aes128-gcm@openssh.com | 2.6MB/s | 0m39 |
| aes256-gcm@openssh.com | 2.2MB/s | 0m47 |
| chacha20-poly1305@openssh.com | 3.2MB/s | 0m32 |