View previous topic :: View next topic |
Author |
Message |
FizzyWidget Veteran
Joined: 21 Nov 2008 Posts: 1133 Location: 127.0.0.1
|
Posted: Tue Oct 08, 2013 2:59 pm Post subject: LUKS encryption, is there a performance hit? |
|
|
Considering encrypting all my systems, but wondering how much, if any of a performance hit I would take, is there anyone out there using full disk encryption? If so have you noticed a slow down in day to day operations of your system.
Is it a more prudent step to encrypt just the /home partition and other storage drives? _________________ I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch. |
|
Back to top |
|
|
py-ro Veteran
Joined: 24 Sep 2002 Posts: 1734 Location: Velbert
|
Posted: Tue Oct 08, 2013 3:41 pm Post subject: |
|
|
Yes, there is. How hard it hits depends on your hardware, if you cpu has a useable instruction set, it won't hit much. |
|
Back to top |
|
|
FizzyWidget Veteran
Joined: 21 Nov 2008 Posts: 1133 Location: 127.0.0.1
|
Posted: Tue Oct 08, 2013 4:20 pm Post subject: |
|
|
On Laptop I have core i7, Main PC Core i7, both of which has hardware support for AES, on the server its a Quad care 6600 _________________ I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch. |
|
Back to top |
|
|
chithanh Developer
Joined: 05 Aug 2006 Posts: 2158 Location: Berlin, Germany
|
Posted: Tue Oct 08, 2013 5:07 pm Post subject: |
|
|
The CPUs which have AES-NI support will probably not see a large performance hit.
If you use SSDs, be aware that Trim is disabled by default in LUKS. Many modern SSDs also support ATA encryption without any performance hit at all. |
|
Back to top |
|
|
FizzyWidget Veteran
Joined: 21 Nov 2008 Posts: 1133 Location: 127.0.0.1
|
Posted: Tue Oct 08, 2013 5:24 pm Post subject: |
|
|
no SSD's all SATA
So which is best full disc encryption or just /home ? _________________ I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch. |
|
Back to top |
|
|
chithanh Developer
Joined: 05 Aug 2006 Posts: 2158 Location: Berlin, Germany
|
Posted: Tue Oct 08, 2013 5:26 pm Post subject: |
|
|
That depends on your threat model and whether there are any secrets outside /home (e.g. ssh keys in /root or password hashes in /etc or a database in /var). |
|
Back to top |
|
|
FizzyWidget Veteran
Joined: 21 Nov 2008 Posts: 1133 Location: 127.0.0.1
|
Posted: Tue Oct 08, 2013 5:37 pm Post subject: |
|
|
Think full encryption would be best as i would like to have the keyfiles for auto opening the other mount points on the system, save me having to put them in via the keyboard, and as you say there is the group and user files that sit in /etc _________________ I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21635
|
Posted: Tue Oct 08, 2013 8:34 pm Post subject: |
|
|
You can avoid leaving key material on disk if you place an LVM group inside the LUKS container, which gives you only one LUKS container to unlock. Once it is unlocked, you can activate all the members of the volume group and mount their filesystems. |
|
Back to top |
|
|
jpc22 Apprentice
Joined: 29 Jan 2012 Posts: 195
|
Posted: Mon Dec 30, 2013 5:09 am Post subject: |
|
|
Actually jfs with the deadline scheduler on a luks encrypted with aes-xts-plain64 512 was a lot faster than plain jfs with deadline on one of my computers supporting the aes-ni set. |
|
Back to top |
|
|
|