Results 1 to 10 of 10

Thread: Intel AES-NI For Full Disk Encryption

  1. #1
    Join Date
    Jan 2007
    Posts
    15,438

    Default Intel AES-NI For Full Disk Encryption

    Phoronix: Intel AES-NI For Full Disk Encryption

    Last week I published benchmark results of using Intel AES-NI for Ubuntu home directory encryption, but the benefits of using this new x86 instruction set found on the latest Intel and AMD (as of today's Bulldozer launch) processors was minimal for this eCryptfs-based solution. Continuing in the AES-NI investigation under Linux, today are benchmark results when using AES-NI for full-disk encryption with dmcrypt.

    http://www.phoronix.com/vr.php?view=16516

  2. #2
    Join Date
    Dec 2007
    Location
    Edinburgh, Scotland
    Posts
    593

    Default

    How does this compare to stock?

    Ie how much of a performance hit does encryption have?

  3. #3
    Join Date
    Nov 2008
    Posts
    781

    Default

    Quote Originally Posted by FireBurn View Post
    Ie how much of a performance hit does encryption have?
    Not much. I've setup dmcrypt on my home partition (it was a separate partition, anyway), and there isn't any noticeable performance difference, even on a lowly E-350 without AES instructions.

    Here's an article which suggests that eCryptFS doesn't affect performance much:
    http://www.phoronix.com/scan.php?pag...u_1110_encrypt


    Though, if you have the choice, dmcrypt is always preferable to eCryptFS. It's slightly faster, less buggy due to a simpler design, and will also encrypt meta information like filenames, so your attacker won't see whether there's a folder named ~/goat_porn/ with 179489 files in it, or that just yesterday you've worked on job_application_to_$competitor.odt

    Anyway, if you're using a laptop storing confidential or private information, encrypting your home partition is well worth it. Not so much on a single-user desktop - it'll only protect against someone gaining physical access to the hard drive, not against remote attacks on a system where the encrypted drive is mounted and accessible.

  4. #4
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    5,286

    Default

    Huh, ecryptfs really sucks in comparison to dm-crypt. Much more than I thought.

  5. #5
    Join Date
    Oct 2011
    Location
    Germany
    Posts
    2

    Question How to load aesni module?

    Hi,

    I've an laptop running Fedora 16 with an CPU which supports aesni, but no module named aes is loaded, how can I test if the aes instructions are used or force it?

    [chris@thinkpad ~]$ uname -r
    3.1.0-0.rc9.git0.0.fc16.x86_64
    [chris@thinkpad ~]$ grep aes /proc/cpuinfo | wc -l
    4
    [chris@thinkpad ~]$ lsmod |grep aes
    [chris@thinkpad ~]$ sudo modprobe aesni-intel #shows no error
    Swipe your right index finger on UPEK Eikon 2
    [chris@thinkpad ~]$ lsmod |grep aes #but still no module loaded
    [chris@thinkpad ~]$

  6. #6

    Default

    FWIW, aesni-intel is built into all Fedora x86-64 kernels since 2.6.37-git12 (Jan 15 2011) and all i386 kernels since June.

    The CPU support for it isn't so new, is it? My 2010 model Vaio Z - Core i5-520M - has it.

  7. #7

    Default

    Quote Originally Posted by chrisj View Post
    Hi,

    I've an laptop running Fedora 16 with an CPU which supports aesni, but no module named aes is loaded, how can I test if the aes instructions are used or force it?

    [chris@thinkpad ~]$ uname -r
    3.1.0-0.rc9.git0.0.fc16.x86_64
    [chris@thinkpad ~]$ grep aes /proc/cpuinfo | wc -l
    4
    [chris@thinkpad ~]$ lsmod |grep aes
    [chris@thinkpad ~]$ sudo modprobe aesni-intel #shows no error
    Swipe your right index finger on UPEK Eikon 2
    [chris@thinkpad ~]$ lsmod |grep aes #but still no module loaded
    [chris@thinkpad ~]$
    See my post - it's already built into the kernel. Unless there's some config file you have to poke, it's already being used.

  8. #8

    Default

    btw, finding out the above was a great example of how awesome git is. Check this:

    [adamw@adam kernel (f16 *%)]$ git log --pretty=oneline -S'AES_NI_INTEL'
    9765980dfcba8e290b18190f68928ca3e9b8d6c8 Bring in Linux-3.1-rc2
    db49e9edd88a3f41e7c5f249c26583c579a41bb1 update to snapshot 2.6.38-git19
    ee6c061eb9517d21067cab44eeadec08b91cbd7a snapshot 2.6.37-git12
    7a32965a104c3363e8505fe566531fcf071cced7 initial srpm import

    yes, git can give you a list of every commit which includes a change containing a given string - so any commit which added, deleted or modified a string containing AES_NI_INTEL in the above case. git for life!

  9. #9
    Join Date
    Oct 2011
    Location
    Germany
    Posts
    2

    Smile

    Quote Originally Posted by AdamW View Post
    FWIW, aesni-intel is built into all Fedora x86-64 kernels since 2.6.37-git12 (Jan 15 2011) and all i386 kernels since June.

    The CPU support for it isn't so new, is it? My 2010 model Vaio Z - Core i5-520M - has it.
    OK, good to know, than I don't have to care about it any longer, I've only found bug reports and that AES_NI_INTEL has been disabled, thanks!

  10. #10
    Join Date
    Oct 2011
    Posts
    3

    Default

    a comparison to bulldozer would be nice!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •