From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joanna Rutkowska Subject: Re: AES Encryption information Date: Wed, 07 Jul 2010 13:28:47 +0200 Message-ID: <4C3464EF.9080105@invisiblethingslab.com> References: <4C337B5E.6050104@goop.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1178664088==" Return-path: In-Reply-To: <4C337B5E.6050104@goop.org> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: xen-devel@lists.xensource.com List-Id: xen-devel@lists.xenproject.org This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============1178664088== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig48DC4935572FA48399116B24" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig48DC4935572FA48399116B24 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 07/06/10 20:52, Jeremy Fitzhardinge wrote: > On 07/06/2010 11:13 AM, ReehanAhmedKhan I L wrote: >> On creating a fully encrypted para-virtualised Xen guest system, is >> all the data stored on the hard-disk fully encrypted? If so when is >> the encryption done. >> The shared memory is used to communicate between dom0 and domU. Is >> the encryption done before data is put in the shared memory? >> Does not the whole encryption procedure slow down the system? >=20 > Xen has no specific support for encrypting disk data. You can use > whatever mechanisms the dom0 and/or domU kernels support. If you're > using Linux, for example, you can configure your setup to encrypt withi= n > the domU so that the dom0 domain only ever sees encrypted data, or you > can encrypt in dom0. >=20 > The performance effects really depend on your workload and system, but > my laptop with an encrypted ssd has used 19min 35s for disk encryption > over the last 13 days of uptime. >=20 I know this is really off-topic, but I'm curious whether you have a Core i5/i7 processor with an AESNI instruction, and if you have, if you got the aesni-intel module to work properly with your kernel? I noticed that using LUKS with a very fast SSD, that normally could have a read throughput of around 200MB/s, significantly limits the performance down to around 80-100 MB/s, with the bottleneck being the kcryptd process easting 100% CPU (core). joanna. --------------enig48DC4935572FA48399116B24 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkw0ZO8ACgkQORdkotfEW85QJQCg0cfgIpYDrZWbWH/sCg17/9Va BbwAnjyezLYNSdJwY4w7rnaf8OG7syiP =2Cd4 -----END PGP SIGNATURE----- --------------enig48DC4935572FA48399116B24-- --===============1178664088== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel --===============1178664088==--