From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gmazyland@gmail.com>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id U576-MGUL0rk for <dm-crypt@saout.de>;
 Fri,  4 Jan 2013 20:14:46 +0100 (CET)
Received: from mail-ea0-f176.google.com (mail-ea0-f176.google.com
 [209.85.215.176])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mail.saout.de (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Fri,  4 Jan 2013 20:14:46 +0100 (CET)
Received: by mail-ea0-f176.google.com with SMTP id d13so7039459eaa.21
 for <dm-crypt@saout.de>; Fri, 04 Jan 2013 11:14:45 -0800 (PST)
Message-ID: <50E72A22.3060007@gmail.com>
Date: Fri, 04 Jan 2013 20:14:42 +0100
From: Milan Broz <gmazyland@gmail.com>
MIME-Version: 1.0
References: <50DF635C.90003@gmail.com> <50E6C1EC.1000307@gmail.com>
 <87sj6gn5g7.fsf@silenus.orebokech.com>
In-Reply-To: <87sj6gn5g7.fsf@silenus.orebokech.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] Switch to XTS mode for LUKS in cryptsetup in 1.6.0
 (Was Re: [ANNOUNCE] cryptsetup 1.6.0-rc1)
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: Romain Francoise <romain@orebokech.com>
Cc: dm-crypt <dm-crypt@saout.de>

On 01/04/2013 07:55 PM, Romain Francoise wrote:
> Milan Broz <gmazyland@gmail.com> writes:
> 
>> Any serious objections to not do that now?
> 
> How does it compare to cbc in terms of (real-world) performance?

It is slower but on recent systems it shouldn't not be bottleneck
(even with fast storage).

I really prefer security to performance here.

But anyway, there is now benchmark command to test it.

An example (on my 3 year old Thinkpad x201 notebook with AES-NI):

# Tests are approximate using memory only (no storage IO).
#  Algorithm | Key |  Encryption |  Decryption
     aes-cbc   128b   789.0 MiB/s  1899.0 MiB/s
     aes-cbc   256b   595.0 MiB/s  1445.0 MiB/s
     aes-xts   256b   572.0 MiB/s   571.4 MiB/s
     aes-xts   512b   465.0 MiB/s   467.0 MiB/s

(I think XTS got some more optimization in recent kernel, this is from 3.6.)

You can try it yourself, just run "cryptsetup benchmark" with 1.6.0-rc1,
perhaps we will need some new FAQ entry here.

Milan