Originally posted by smotad
View Post
Announcement
Collapse
No announcement yet.
The 2019 Laptop Performance Cost To Linux Full-Disk Encryption
Collapse
X
-
- Likes 1
-
Originally posted by M@yeulC View Postshmerl ah yes, we also tried to encrypt /boot, but stopped short of it, due to the installer spitting errors --or was it GRUB after the fact? -- and a lack of time (IIRC).
I did so on my Arch system, leaving only the secureboot-signed kernel image in the EFI partition. At this point, my biggest concern lies with the initramfs. Any tips on signing that one?
Last edited by shmerl; 14 March 2019, 01:59 PM.
- Likes 1
Comment
-
Originally posted by stormcrow View Post
Roughly what I expected based on practical experience with using encrypted disks on laptops (Windows and Linux). There's a few different variables that affect practical throughput performance. One of the biggest is which drive interface you're using. It's been my experience that, in general, SATA drives suffer considerably less performance impact because the maximum throughput on those buses is usually less than the actual processing performance of the CPU's hardware encrypt/decrypt support. Spinning rust is generally even less impacted than SSD. Again, because the CPU can run the instructions faster than the drive can transfer data. The bottleneck there becomes the number of threads the CPU can handle with the acceleration. I'm not sure about the most current Intel CPUS, but traditionally they could only handle one encryption thread at a time while the Ryzens can handle 2 at once.
This changes with NVME drives because they can handle greater throughput and apparently it's a higher throughput than what the CPU can process. The CPU is once again the bottleneck that it generally wasn't with SATA only systems, so you see a slowdown on a system that's using NVMe drives even with hardware based de/encryption support.
Need to check my laptop though.
Comment
-
Originally posted by smotad View PostWhat about using OPAL?
What drawbacks does it have?
Depending on the implementation it can be trivial to unencrypt data without the key.
In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations,In reality, we found that many hardware implementations have critical security weaknesses, for many models allowing for complete recovery of the data without knowledge of any secret.
https://www.ru.nl/publish/pages/9092...ft-paper_1.pdfLast edited by Slithery; 14 March 2019, 02:28 PM.
- Likes 2
Comment
-
Originally posted by stevea View PostModest but very real performance impact. I am left thinking that I want /home & swap & and a few bits in /etc and /var encrypted, but not much else.Last edited by Slithery; 14 March 2019, 02:56 PM.
- Likes 2
Comment
-
Originally posted by sandy8925 View PostHm, those results seem a bit weird. If using AES XTS, and with AESNI being present and enabled, there shouldn't be much of a performance impact IMO.
Comment
-
I'm trying to make sense of this. In an old quad core (10yr-old) I could visibly see my CPU maxing out when copying from one encrypted drive to the other. My mb/sec were CPU-limited. Now, with current CPUs, if CPU load doesn't go up significantly (to make CPU the bottleneck), then why is performance degraded? FS-related inefficiencies?
- Likes 1
Comment
-
Originally posted by Slithery View Post
Which would only be of any use if you could guarantee that no-one else had physical access to your machine. Otherwise they could drop a modified binary in your system path to do anything they wanted.
If someone is targeting you specifically to steal data or deply malicious code on your systems and they can get physical access to the systems, pretty much all bets are off (unless you have one of those fancy ORWL computers, for instance).
- Likes 2
Comment
Comment