From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from db1.countermail.com (db1.countermail.com [46.253.205.114]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Fri, 25 Sep 2015 19:55:16 +0200 (CEST) Received: from 192.168.0.1 [46.253.205.116]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by db1.countermail.com (Postfix) with ESMTPSA id 82FCB82A0127 for ; Fri, 25 Sep 2015 17:55:15 +0000 (UTC) References: <20150925173316.GA32719@manjaro.chello.hu> From: Mistave Message-ID: <56058A83.9070509@countermail.com> Date: Fri, 25 Sep 2015 19:55:15 +0200 MIME-Version: 1.0 In-Reply-To: <20150925173316.GA32719@manjaro.chello.hu> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] Basics List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Generally I use the following line: # cryptsetup -c aes-xts-plain64:sha512 -h sha512 -y -s 512 -i 5000 --use-random luksFormat /dev/sdX But AES should be faster, if your CPU supports AES-IN instruction (most modern CPU's should). Though you are free to choose whatever cipher you prefer (aes, twofish, serpent). On my PC AES (software) is a bit faster than serpent and a bit slower than twofish. AES (hardware is fastest). On 25. 09. 2015 19:33, Mike Nagie wrote: > Hi all, > > I'm going to reinstall my ArchLinux and I thought I would try encrypting > my home folder with dm-crypt. > I read this and ArchWiki several times, but I'm still so confused. > I'd like to keep my system as fast as just possible, sooo here is my > benchmark results: > > PBKDF2-sha1 644088 iterations per second > PBKDF2-sha256 391259 iterations per second > PBKDF2-sha512 321254 iterations per second > PBKDF2-ripemd160 410241 iterations per second > PBKDF2-whirlpool 151703 iterations per second > # Algorithm | Key | Encryption | Decryption > aes-cbc 128b 124.2 MiB/s 143.3 MiB/s > serpent-cbc 128b 49.9 MiB/s 194.5 MiB/s > twofish-cbc 128b 112.4 MiB/s 211.2 MiB/s > aes-cbc 256b 96.4 MiB/s 107.1 MiB/s > serpent-cbc 256b 49.9 MiB/s 194.2 MiB/s > twofish-cbc 256b 112.4 MiB/s 210.9 MiB/s > aes-xts 256b 141.5 MiB/s 143.3 MiB/s > serpent-xts 256b 201.1 MiB/s 191.4 MiB/s > twofish-xts 256b 207.9 MiB/s 209.1 MiB/s > aes-xts 512b 108.5 MiB/s 106.2 MiB/s > serpent-xts 512b 200.1 MiB/s 191.5 MiB/s > twofish-xts 512b 207.8 MiB/s 209.3 MiB/s > > So first thing; this is a 1TiB HDD. Do I need plain64? Or is there any > drawbacks? > > Second: Everybody talks about the aes. It seems the twofish is faster > here. Does this really matters? I mean this is a HDD, I guess it never > does anything at that pace. (207MiB/s) > > Third: Since xts is supposed to be safer I think it's justified. > > Fourth: Key size I'm totally lost. Why 512b (even though it's splitted > to 256) faster than the others? I'm sure something is not right with my theory > else who would use 256b?! Do encrypted files bigger with 512b or > what is the point here? > > Fifth: Hash: I'm thinking about sha256. > > Sixth: iteration time. I misunderstood the benchmark. I thought > sha256 391259 iterations per second > means 391259 iterations per second. However I set the iteration time to > 391259 and well... it needless to say, it didn't open the encrypted > partition in a second, more like in 10 minutes. So I have no idea how > should I interpret this one. > > And lastly: --use-random or --use-urandom. I didn't get this one at all. > > Thank you for your answer in advance > > Mike >