[dm-crypt] AES-XTS performance
igor at novg.net
Tue Nov 16 07:53:56 CET 2010
> On 11/15/2010 01:36 PM, Igor Novgorodov wrote:
>> I've got a question regarding encryption performance with
>> XTS mode in dm-crypt, which is too low for what i
>> Test system:
>> - Supermicro X8DTH-6F
>> - 1 x 4-Core Xeon E5620 with HyperThreading & AES-NI
>> - 12Gb RAM DDR3 Reg ECC
>> # mount -t tmpfs tmpfs -o size=4G /mnt/tmpfs
>> # dd if=/dev/zero of=/mnt/tmpfs/image
>> # losetup /dev/loop0 /mnt/tmpfs/image
> Loop is not ideal device to test but it is not the problem.
> The main problem is that dm-crypt uses only one core per device.
> If you want to do some tests, try this patch
> (but there is still some issues and it will not help much
> if only one process generates IOs.)
Yes, i know about synchronous nature of dm-crypt,
but i thought that using AES-NI somehow alleviates
this problem, as it as i remember uses asynchronous crypto api (AEAD?),
but i may be wrong, just read somewhere.
Thanks, i'll try your patch and will report of any problems found.
>> And with CBC mode we get reasonable read performance (for AES-NI), but
>> writing is as almost slow as before:
> I think the write slowdown is partially loop problem here.
Yes, it looks so, as AES is quite symmetrical on
encryption/decryption. Tests on real filesystem shows same enc/dec
>> What is the problem here?
>> With aes-cbc-plain64 i get ~560Mb read, and another slow write ~110Mb.
> Nice to benchmarking, but do not use plain/plain64 in CBC mode for data.
> (It is vulnerable.)
Of course, i've read about watermarking attacks.
If XTS mode will remain too slow, i'll switch to CBC-ESSIV.
>> Any suggestions? Why write speed is so low?
> Can you please try patch above? Will it help here?
> (There are more possible fixes but stability is the No.1 here,
> and we have still some unresolved problems with that.)
>> And why with XTS i get 50% speed drop, is that normal?
> In principle, XTS run 2x AES operation in comparison to CBC mode,
> so I would say it is expected.
Hmm. It looks correct.
>> In Windows with Trucrypt internal benchmark i get 1.6Gb/s
>> AES encryption speed with AES-NI even on low-end Core i5-620.
> You cannot compare internal benchmark to dm-crypt over loop.
> dm-crypt uses 512b sectors and mainly block layer limits it here.
Accoding to http://www.truecrypt.org/docs/?s=modes-of-operation
truecrypt uses 512b unit size too, but, of course, raw in-memory
encryption is not compared to multiple-layer model of linux, but i
thought that difference of hunderds of percents is too big.
But it may be due to a multithreaded nature of TC.
> If you use device-mapper zero target as backing device you can get
> better numbers but still it is comparing something different.
I'll try that, thanks, i didn't even thought of this target before :)
More information about the dm-crypt