Hardware accelerated encryption on GoFlex Net / Dockstar or is mv_cesa of any practical use? August 17, 2011 06:13AM |
Registered: 12 years ago Posts: 128 |
name : hmac(sha1) driver : mv-hmac-sha1 module : mv_cesa priority : 300 refcnt : 1 selftest : passed type : ahash async : yes blocksize : 64 digestsize : 20 name : sha1 driver : mv-sha1 module : mv_cesa priority : 300 refcnt : 1 selftest : passed type : ahash async : yes blocksize : 64 digestsize : 20 name : cbc(aes) driver : mv-cbc-aes module : mv_cesa priority : 300 refcnt : 1 selftest : passed type : ablkcipher async : yes blocksize : 16 min keysize : 16 max keysize : 32 ivsize : 16 geniv : <default> name : ecb(aes) driver : mv-ecb-aes module : mv_cesa priority : 300 refcnt : 1 selftest : passed type : ablkcipher async : yes blocksize : 16 min keysize : 16 max keysize : 32 ivsize : 0 geniv : <default>
cryptsetup luksFormat -c aes-cbc-plain -s 256 -h sha512 /dev/sdXYor
cryptsetup luksFormat -c aes-ecb-plain -s 256 /dev/sdXYor
cryptsetup luksFormat -c aes -h sha1 /dev/sdXYBut none of those is really safe. Most dm_crypt/LUKS related sites and blogs recommend using aes-xts-plain.
cryptsetup -y --cipher aes-xts-plain --key-size 512 luksFormat /dev/sdXYwhich is considered to be one of the safest and fastest out there. I tested that too, but when using aes-xts-plain, reading and writing speed break down dramatically. Then, there's also twofish which is considered to be equally safe as AES
cryptsetup luksFormat -c twofish-xts-plain --key-size 512 /dev/sdXYFunny enough, whereas Wikipedia claims that twofish is slower than aes, I found this forum where people recommend using twofish for maximal speed. I tried that on my GoFlex Net and must admit that twofish-xts-plain is really very fast, even though it's not accelerated by mv_cesa. It's like 1,6 times faster than aes-xts-plain and only slightly slower than those (unsafe) hardware accelerated ciphers.
aes-cbc-plain -s 256 -h sha512 11,32 MB/s aes-ecb-plain -s 256 11,52 MB/s aes -h sha1 11,29 MB/s twofish-xts-plain --key-size 512 10,89 MB/s aes-xts-plain --key-size 512 6,70 MB/SFrom these results I can draw the following conclusions
m1k0
Re: Hardware accelerated encryption on GoFlex Net / Dockstar or is mv_cesa of any practical use? August 25, 2011 03:43AM |
Re: Hardware accelerated encryption on GoFlex Net / Dockstar or is mv_cesa of any practical use? August 26, 2011 08:16AM |
Registered: 12 years ago Posts: 128 |
John Hughes
Re: Hardware accelerated encryption on GoFlex Net / Dockstar or is mv_cesa of any practical use? September 09, 2011 05:36AM |
Quote
Vlad
but (surprise, surprise) according to my experiments, mv_cesa doesn't accelerate cbc-essiv.
# cryptsetup luksDump /dev/md0 LUKS header information for /dev/md0 Version: 1 Cipher name: aes Cipher mode: cbc-essiv:sha256 Hash spec: sha1 Payload offset: 2056 ... # cryptsetup --key-file hughes_crypt.key luksOpen /dev/md0 hughes_crypt # dd if=/dev/mapper/hughes_crypt of=/dev/null count=10240001024000+0 records in 1024000+0 records out 524288000 bytes (524 MB) copied, 67.2462 s, 7.8 MB/s
# cryptsetup luksClose hughes_crypt # rmmod mv_cesa # cryptsetup --key-file hughes_crypt.key luksOpen /dev/md0 hughes_crypt # dd if=/dev/mapper/hughes_crypt of=/dev/null count=1024000 1024000+0 records in 1024000+0 records out 524288000 bytes (524 MB) copied, 94.3556 s, 5.6 MB/s
Re: Hardware accelerated encryption on GoFlex Net / Dockstar or is mv_cesa of any practical use? September 09, 2011 07:04AM |
Registered: 12 years ago Posts: 128 |
Re: Hardware accelerated encryption on GoFlex Net / Dockstar or is mv_cesa of any practical use? September 19, 2011 04:24PM |
Registered: 13 years ago Posts: 19 |
Re: Hardware accelerated encryption on GoFlex Net / Dockstar or is mv_cesa of any practical use? September 19, 2011 05:45PM |
Registered: 12 years ago Posts: 128 |
Re: Hardware accelerated encryption on GoFlex Net / Dockstar or is mv_cesa of any practical use? October 01, 2011 06:38PM |
Registered: 12 years ago Posts: 128 |
dd count=100000 bs=1K if=/dev/zero of=/mnt/test1.img dd count=25000 bs=4K if=/dev/zero of=/mnt/test2.img dd count=6500 bs=16K if=/dev/zero of=/mnt/test3.img dd count=1500 bs=64K if=/dev/zero of=/mnt/test4.img dd count=200 bs=512K if=/dev/zero of=/mnt/test5.img dd count=100 bs=1M if=/dev/zero of=/mnt/test6.img dd count=100000 bs=1K if=/mnt/test1.img of=/dev/null dd count=25000 bs=4K if=/mnt/test2.img of=/dev/null dd count=6500 bs=16K if=/mnt/test3.img of=/dev/null dd count=1500 bs=64K if=/mnt/test4.img of=/dev/null dd count=200 bs=512K if=/mnt/test5.img of=/dev/null dd count=100 bs=1M if=/mnt/test6.img of=/dev/nullHere's what I got (first column: mv_cesa acceleration, second and third columns: no acceleration)
block size | aes-cbc-essiv + mv_cesa | aes-cbc-essiv | twofish-xts-plain 1K | 10,3 MB/s | 7,5MB/s | 12,5 MB/s 4K | 10,3 MB/s | 7,3MB/s | 12,2 MB/s 16K | 10,4 MB/s | 7,4MB/s | 12,3 MB/s 64K | 10,4 MB/s | 7,4MB/s | 12,3 MB/s 512K | 10,2 MB/s | 7,3MB/s | 12,3 MB/s 1M | 9,7 MB/s | 7,3MB/s | 12,3 MB/s
block size | aes-cbc-essiv + mv_cesa | aes-cbc-essiv | twofish-xts-plain 1K | 10,5 MB/s | 6,3MB/s | 8,0 MB/s 4K | 11,7 MB/s | 8,1MB/s | 11,9 MB/s 16K | 10,5 MB/s | 6,7MB/s | 11,0 MB/s 64K | 10,6 MB/s | 7,4MB/s | 11,9 MB/s 512K | 11,4 MB/s | 7,7MB/s | 11,7 MB/s 1M | 10,6 MB/s | 7,3MB/s | 10,7 MB/s
dpffan
Re: Hardware accelerated encryption on GoFlex Net / Dockstar or is mv_cesa of any practical use? October 03, 2011 09:05AM |
Re: Hardware accelerated encryption on GoFlex Net / Dockstar or is mv_cesa of any practical use? October 15, 2011 03:23PM |
Registered: 12 years ago Posts: 128 |