[dm-crypt] Basics

Mike Nagie promike1987 at gmail.com
Fri Sep 25 19:33:16 CEST 2015

Hi all,

I'm going to reinstall my ArchLinux and I thought I would try encrypting 
my home folder with dm-crypt.
I read this and ArchWiki several times, but I'm still so confused.
I'd like to keep my system as fast as just possible, sooo here is my 
benchmark results:

PBKDF2-sha1       644088 iterations per second
PBKDF2-sha256     391259 iterations per second
PBKDF2-sha512     321254 iterations per second
PBKDF2-ripemd160  410241 iterations per second
PBKDF2-whirlpool  151703 iterations per second
#  Algorithm | Key |  Encryption |  Decryption
     aes-cbc   128b   124.2 MiB/s   143.3 MiB/s
 serpent-cbc   128b    49.9 MiB/s   194.5 MiB/s
 twofish-cbc   128b   112.4 MiB/s   211.2 MiB/s
     aes-cbc   256b    96.4 MiB/s   107.1 MiB/s
 serpent-cbc   256b    49.9 MiB/s   194.2 MiB/s
 twofish-cbc   256b   112.4 MiB/s   210.9 MiB/s
     aes-xts   256b   141.5 MiB/s   143.3 MiB/s
 serpent-xts   256b   201.1 MiB/s   191.4 MiB/s
 twofish-xts   256b   207.9 MiB/s   209.1 MiB/s
     aes-xts   512b   108.5 MiB/s   106.2 MiB/s
 serpent-xts   512b   200.1 MiB/s   191.5 MiB/s
 twofish-xts   512b   207.8 MiB/s   209.3 MiB/s

So first thing; this is a 1TiB HDD. Do I need plain64? Or is there any 

Second: Everybody talks about the aes. It seems the twofish is faster 
here. Does this really matters? I mean this is a HDD, I guess it never 
does anything at that pace. (207MiB/s)

Third: Since xts is supposed to be safer I think it's justified.

Fourth: Key size I'm totally lost. Why 512b (even though it's splitted 
to 256) faster than the others? I'm sure something is not right with my theory 
else who would use 256b?! Do encrypted files bigger with 512b or 
what is the point here?

Fifth: Hash: I'm thinking about sha256.

Sixth: iteration time. I misunderstood the benchmark. I thought 
sha256     391259 iterations per second
means 391259 iterations per second. However I set the iteration time to 
391259 and well... it needless to say, it didn't open the encrypted 
partition in a second, more like in 10 minutes. So I have no idea how 
should I interpret this one.

And lastly: --use-random or --use-urandom. I didn't get this one at all.

Thank you for your answer in advance

You are so lucky!

More information about the dm-crypt mailing list