[dm-crypt] hardware encryption

Matthias Schniedermeyer ms at citd.de
Thu Mar 14 14:14:57 CET 2013


On 14.03.2013 06:12, lxnf98mm at gmail.com wrote:
> On Wed, 13 Mar 2013, .. ink .. wrote:
> 
> >On Wed, Mar 13, 2013 at 5:45 PM, <lxnf98mm at gmail.com> wrote:
> >
> >>Can dm-crypt make use of the encryption capabilities of the cpu
> >>I am probably not asking the right question but gotta start somewhere
> >>
> >>
> >The answer to your question according the  link given next is "yes" :
> >http://www.saout.de/pipermail/dm-crypt/2011-October/002092.html
> >
> >best place to start with cryptsetup is to go through its FAQ located at:
> >http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions
> >
> 
> This is probably not the place to ask but how about a Marvell 88F6281
> www.marvell.com/embedded-processors/kirkwood/assets/HW_88F6281_OpenSource.pdf
> I tried openssl speed test and it out performs a 3.4Ghz Intel
> Right now running dm-crypt on the Marvell uses about 50% cpu

Given that openssl doesn't support AES-NI i'm not surprized.

Last time i looked AES-NI support in openssl was "in Limbo" and it may 
still take quite some time(years) until there is a release which 
officially supports AES-NI. This is despite first patches beeing made 
available before there was silicon, so openssl is quite a few years 
behind.

I'm using an unofficial "something" (Can't remember what it is excatly ) 
so that openssl can utelize AES-NI which in turn enables AES-NI usage 
for SSH, so i can use it for scp or rsync over SSH.
The difference is quite noticable, altough in LANs i just use ARCFOUR. 
No patching necesarry to saturate Gigabit. :-)

When i tested it some time back over loopback both AES-128-CBC(*) (with 
AES-NI) and ARCFOUR peaked at about 400MB/s(IIRC), so no problem doing 
the 110MB/s needed to saturate Gigabit.


*:
AES-128-CTR doesn't appeared to either support AES-NI or get any 
performance benefit from AES-NI.


-- 

Matthias


More information about the dm-crypt mailing list