Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
LUKS encryption, is there a performance hit?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
FizzyWidget
Veteran
Veteran


Joined: 21 Nov 2008
Posts: 1133
Location: 127.0.0.1

PostPosted: Tue Oct 08, 2013 2:59 pm    Post subject: LUKS encryption, is there a performance hit? Reply with quote

Considering encrypting all my systems, but wondering how much, if any of a performance hit I would take, is there anyone out there using full disk encryption? If so have you noticed a slow down in day to day operations of your system.

Is it a more prudent step to encrypt just the /home partition and other storage drives?
_________________
I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch.
Back to top
View user's profile Send private message
py-ro
Veteran
Veteran


Joined: 24 Sep 2002
Posts: 1733
Location: St. Wendel

PostPosted: Tue Oct 08, 2013 3:41 pm    Post subject: Reply with quote

Yes, there is. How hard it hits depends on your hardware, if you cpu has a useable instruction set, it won't hit much.
Back to top
View user's profile Send private message
FizzyWidget
Veteran
Veteran


Joined: 21 Nov 2008
Posts: 1133
Location: 127.0.0.1

PostPosted: Tue Oct 08, 2013 4:20 pm    Post subject: Reply with quote

On Laptop I have core i7, Main PC Core i7, both of which has hardware support for AES, on the server its a Quad care 6600
_________________
I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch.
Back to top
View user's profile Send private message
chithanh
Developer
Developer


Joined: 05 Aug 2006
Posts: 2152
Location: Berlin, Germany

PostPosted: Tue Oct 08, 2013 5:07 pm    Post subject: Reply with quote

The CPUs which have AES-NI support will probably not see a large performance hit.

If you use SSDs, be aware that Trim is disabled by default in LUKS. Many modern SSDs also support ATA encryption without any performance hit at all.
Back to top
View user's profile Send private message
FizzyWidget
Veteran
Veteran


Joined: 21 Nov 2008
Posts: 1133
Location: 127.0.0.1

PostPosted: Tue Oct 08, 2013 5:24 pm    Post subject: Reply with quote

no SSD's all SATA

So which is best full disc encryption or just /home ?
_________________
I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch.
Back to top
View user's profile Send private message
chithanh
Developer
Developer


Joined: 05 Aug 2006
Posts: 2152
Location: Berlin, Germany

PostPosted: Tue Oct 08, 2013 5:26 pm    Post subject: Reply with quote

That depends on your threat model and whether there are any secrets outside /home (e.g. ssh keys in /root or password hashes in /etc or a database in /var).
Back to top
View user's profile Send private message
FizzyWidget
Veteran
Veteran


Joined: 21 Nov 2008
Posts: 1133
Location: 127.0.0.1

PostPosted: Tue Oct 08, 2013 5:37 pm    Post subject: Reply with quote

Think full encryption would be best as i would like to have the keyfiles for auto opening the other mount points on the system, save me having to put them in via the keyboard, and as you say there is the group and user files that sit in /etc
_________________
I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13862

PostPosted: Tue Oct 08, 2013 8:34 pm    Post subject: Reply with quote

You can avoid leaving key material on disk if you place an LVM group inside the LUKS container, which gives you only one LUKS container to unlock. Once it is unlocked, you can activate all the members of the volume group and mount their filesystems.
Back to top
View user's profile Send private message
jpc22
Apprentice
Apprentice


Joined: 29 Jan 2012
Posts: 195

PostPosted: Mon Dec 30, 2013 5:09 am    Post subject: Reply with quote

Actually jfs with the deadline scheduler on a luks encrypted with aes-xts-plain64 512 was a lot faster than plain jfs with deadline on one of my computers supporting the aes-ni set.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum