Intel AES-NI For Full Disk Encryption
Phoronix: Intel AES-NI For Full Disk Encryption
Last week I published benchmark results of using Intel AES-NI for Ubuntu home directory encryption, but the benefits of using this new x86 instruction set found on the latest Intel and AMD (as of today's Bulldozer launch) processors was minimal for this eCryptfs-based solution. Continuing in the AES-NI investigation under Linux, today are benchmark results when using AES-NI for full-disk encryption with dmcrypt.
How does this compare to stock?
Ie how much of a performance hit does encryption have?
Not much. I've setup dmcrypt on my home partition (it was a separate partition, anyway), and there isn't any noticeable performance difference, even on a lowly E-350 without AES instructions.
Originally Posted by FireBurn
Here's an article which suggests that eCryptFS doesn't affect performance much:
Though, if you have the choice, dmcrypt is always preferable to eCryptFS. It's slightly faster, less buggy due to a simpler design, and will also encrypt meta information like filenames, so your attacker won't see whether there's a folder named ~/goat_porn/ with 179489 files in it, or that just yesterday you've worked on job_application_to_$competitor.odt
Anyway, if you're using a laptop storing confidential or private information, encrypting your home partition is well worth it. Not so much on a single-user desktop - it'll only protect against someone gaining physical access to the hard drive, not against remote attacks on a system where the encrypted drive is mounted and accessible.
Huh, ecryptfs really sucks in comparison to dm-crypt. Much more than I thought.
How to load aesni module?
I've an laptop running Fedora 16 with an CPU which supports aesni, but no module named aes is loaded, how can I test if the aes instructions are used or force it?
[chris@thinkpad ~]$ uname -r
[chris@thinkpad ~]$ grep aes /proc/cpuinfo | wc -l
[chris@thinkpad ~]$ lsmod |grep aes
[chris@thinkpad ~]$ sudo modprobe aesni-intel #shows no error
Swipe your right index finger on UPEK Eikon 2
[chris@thinkpad ~]$ lsmod |grep aes #but still no module loaded
FWIW, aesni-intel is built into all Fedora x86-64 kernels since 2.6.37-git12 (Jan 15 2011) and all i386 kernels since June.
The CPU support for it isn't so new, is it? My 2010 model Vaio Z - Core i5-520M - has it.
See my post - it's already built into the kernel. Unless there's some config file you have to poke, it's already being used.
Originally Posted by chrisj
btw, finding out the above was a great example of how awesome git is. Check this:
[adamw@adam kernel (f16 *%)]$ git log --pretty=oneline -S'AES_NI_INTEL'
9765980dfcba8e290b18190f68928ca3e9b8d6c8 Bring in Linux-3.1-rc2
db49e9edd88a3f41e7c5f249c26583c579a41bb1 update to snapshot 2.6.38-git19
ee6c061eb9517d21067cab44eeadec08b91cbd7a snapshot 2.6.37-git12
7a32965a104c3363e8505fe566531fcf071cced7 initial srpm import
yes, git can give you a list of every commit which includes a change containing a given string - so any commit which added, deleted or modified a string containing AES_NI_INTEL in the above case. git for life!
OK, good to know, than I don't have to care about it any longer, I've only found bug reports and that AES_NI_INTEL has been disabled, thanks!
Originally Posted by AdamW
a comparison to bulldozer would be nice!