From: Marc MERLIN <marc@merlins.org>
To: Andreas Klauer <Andreas.Klauer@metamorpher.de>
Cc: linux-raid@vger.kernel.org
Subject: Re: md raid5 on top of dmcrypt, or dmcrypt on top of md raid5?
Date: Thu, 11 Feb 2016 09:40:26 -0800 [thread overview]
Message-ID: <20160211174026.GH13969@merlins.org> (raw)
In-Reply-To: <20160211171340.GA7664@EIS>
On Thu, Feb 11, 2016 at 06:13:40PM +0100, Andreas Klauer wrote:
> > gargamel:~# cryptsetup luksDump /dev/md8
> > LUKS header information for /dev/md8
> >
> > Version: 1
> > Cipher name: aes
> > Cipher mode: xts-plain64
> > Hash spec: sha1
> > Payload offset: 3072
> > MK bits: 256
>
> Does the box have AES-NI? What's your 'cryptsetup benchmark' look like?
> Sometimes there can be a problem if the AES-NI module is loaded too late.
> Without AES-NI your performance will suffer either way...
It's a quad core HT CPU
model name : Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz
As far as I can tell, AES-NI is working:
gargamel:~# cryptsetup benchmark
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1 420102 iterations per second
PBKDF2-sha256 250137 iterations per second
PBKDF2-sha512 87148 iterations per second
PBKDF2-ripemd160 394795 iterations per second
PBKDF2-whirlpool 125068 iterations per second
# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 1.2 MiB/s 1939.8 MiB/s
serpent-cbc 128b 29.8 MiB/s 284.4 MiB/s
twofish-cbc 128b 77.0 MiB/s 339.0 MiB/s
aes-cbc 256b 451.2 MiB/s 1491.7 MiB/s
serpent-cbc 256b 85.7 MiB/s 286.7 MiB/s
twofish-cbc 256b 188.7 MiB/s 358.4 MiB/s
aes-xts 256b 1572.1 MiB/s 1725.3 MiB/s
serpent-xts 256b 272.8 MiB/s 291.2 MiB/s
twofish-xts 256b 289.8 MiB/s 331.7 MiB/s
aes-xts 512b 1355.1 MiB/s 1385.5 MiB/s
serpent-xts 512b 318.4 MiB/s 299.8 MiB/s
twofish-xts 512b 326.6 MiB/s 336.3 MiB/s
> You probably don't want encryption below the RAID; that would mean
> encrypting redundancy and parity so it's even more work to do, doubtful
> whether multicore CPU can offset that to make it worth it. Maybe if
> it's a NAS that has nothing else to do...
It does other work, and I agree that encryption below the raid doesn't
sound like a great idea, which is why I haven't used it so far.
Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/ | PGP 1024R/763BE901
next prev parent reply other threads:[~2016-02-11 17:40 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-11 16:29 md raid5 on top of dmcrypt, or dmcrypt on top of md raid5? Marc MERLIN
2016-02-11 17:13 ` Andreas Klauer
2016-02-11 17:40 ` Marc MERLIN [this message]
2016-02-12 9:30 ` Mikael Abrahamsson
2016-02-12 14:34 ` Jes Sorensen
2016-02-12 19:07 ` Marc MERLIN
2016-02-12 19:57 ` John Stoffel
2016-02-22 0:44 ` Marc MERLIN
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160211174026.GH13969@merlins.org \
--to=marc@merlins.org \
--cc=Andreas.Klauer@metamorpher.de \
--cc=linux-raid@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.