[dm-crypt] Few questions from a new user
conrad.francois.artus at googlemail.com
Wed Jan 8 23:35:42 CET 2014
I am new to disk encryption and I have been reading on it for the last
days, but I am still confused on some points. I would appreciate if
someone knowledgeable could clue me in.
1. Is SHA1 just as secure for this purpose as SHA512? After reading
cryptsetup docs I have a feeling that yes, but I get conflicting
opinions from various people, so I thought it's best ask at the source.
Also, does the hash used have any impact on performance of disk
access/read/write once the system is booted? Again, I suppose not, but
better to make sure, especially since my laptop is not a powerhouse.
2. The more I read, the more I am confused about the algorythms.
Everything I read says that AES is the fastest, and Serpent is the
slowest. But not according to my laptop:
$ cryptsetup benchmark
Tests are approximate using memory only (no storage IO).
PBKDF2-sha1 344926 iterations per second
PBKDF2-sha256 198593 iterations per second
PBKDF2-sha512 129007 iterations per second
PBKDF2-ripemd160 271933 iterations per second
PBKDF2-whirlpool 134295 iterations per second
# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 149.8 MiB/s 147.9 MiB/s
serpent-cbc 128b 51.0 MiB/s 196.4 MiB/s
twofish-cbc 128b 127.6 MiB/s 152.5 MiB/s
aes-cbc 256b 114.3 MiB/s 113.8 MiB/s
serpent-cbc 256b 51.2 MiB/s 198.9 MiB/s
twofish-cbc 256b 129.8 MiB/s 167.5 MiB/s
aes-xts 256b 153.3 MiB/s 150.6 MiB/s
serpent-xts 256b 176.4 MiB/s 184.1 MiB/s
twofish-xts 256b 160.8 MiB/s 159.8 MiB/s
aes-xts 512b 115.4 MiB/s 112.1 MiB/s
serpent-xts 512b 178.6 MiB/s 184.2 MiB/s
twofish-xts 512b 160.7 MiB/s 158.9 MiB/s
I suppose this is because it has no AES-IN optimisation (it is one of
the last Core 2 Duo P9500), but still Serpent beats the others by quite
Plus, on top of that, it seems to be the fastest with the most complex
key. I thought it should be the other way around...?
So should I go ahead and use serpent-xts 512b, or is there a catch?
3. I would like to do full disk encryption, and would like to have those
methods of unlocking upon boot:
A - my short but complex password
B - long but easy-to-dictate password that I would give to people who
need to access my laptop when I'm not there, without compromising my own
C - if a USB key with key file is present, I want the computer to not as
for the password upon boot
Are all three possible with dm-crypt+LUKS? And if so, do I have to set
them all up while I enctypt my disks, or can B and/or C be done
More information about the dm-crypt