[dm-crypt] poor mysqldump performance

Tracy Reed treed at ultraviolet.org
Fri Feb 24 20:07:57 CET 2012

On Fri, Feb 24, 2012 at 09:18:58AM +0100, Milan Broz spake thusly:
> RHEL5 uses old dmcrypt code which is stable but has known
> limitations.

Aside from being single-threaded (not the problem in our case) what are the
limitations? My extensive googling hasn't turned up anything relevant short of
reading large amounts of the dm-crypt list archive.

> The last change in RHEL was backporting suport for XTS mode.

I can't find any good info on exactly what this is but I wonder if it is
related to block size since. 

One thing I have been wondering about is block size and CBC. mysqldump is
probably doing a lot of tiny reads. Just how much data does dm-crypt have to
read to pull a single piece of data from the disk? Could the use of cipher
block chaining be causing it to read a lot more than it otherwise would so it
can decrypt the piece of data that it needs? I have a basic crypto education
(university class, read Applied Cryptography, used it plenty as a
sysadmin/security guy) but don't know the details of how the IV is generated
from the previous block in dm-crypt.

It looks like XTC mode uses the sector number as IV which might result in
reading less data. Perhaps I should try ECB mode instead of my current:

Cipher mode:    cbc-essiv:sha256

> Also please note that this is exactly where RHEL customer
> requests helps - and there were no such requests.
> So other things get priority.

We have RHEL also and can deploy this solution on RHEL and run the question by
RedHat if it comes to that, no problem. But it will likely still be on RHEL5.
However, this allows me to make a good argument for getting things upgraded to

> So if you are using CentOS my advice is simple - try to upgrade
> to CentOS6 and test it. It should be in some aspect better but still
> database performance over dmcrypt can have problems.

I'll try an ECB mode (I am aware of the cryptographic downside as far as
identical plaintext blocks go)  just to see if that is the issue. Then I'll try
RHEL/CentOS 6 and XTC.


Tracy Reed

More information about the dm-crypt mailing list