Announcement

Collapse
No announcement yet.

Linux Full Disk Encryption Performance With AMD Ryzen 5 + SATA 3.0 SSD

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by AndyChow View Post
    Less and less SSDs are coming out with native encryption. It used to be almost a standard when you went "pro".

    Thank you for these benchmarks. They are very consistent with my own results. The extra CPU usage is irrelevant, the actual performance is only marginally impacted, and it's mostly transparent. I have both hardware and software encryption, and have seen only marginal (+/- 20% or less impact). And that's with aes-twofish-serpent software encryption, salted. To protect the data of my clients, this is nothing.

    Michael! Did you ever test that ARM AMD board? The A1100 one? You got it, please test it.
    Finally received some supported RAM for that board, still searching my basement for a supported power supply, and still waiting on finding out what OS is supported, and it does sound like the PCI-E slot is unworkable.
    Michael Larabel
    https://www.michaellarabel.com/

    Comment


    • #12
      How do these benchmarks compare with Intel and Skylake or Kabylake performance with their AES performance. Do they take as much of a hit in performance? Just curious if this is a normal hit or if Intel's implementation is better.

      Comment


      • #13
        The Ryzens have built-in AES engines, did they actually get used in these tests? (look for the ccp-* lines in /proc/interrupts).

        Comment


        • #14
          Originally posted by schmidtbag View Post
          I just realized - are there any internal drives with their own built-in encryption processor?
          short: Yes.

          longer: Yes, there are HDDs and SSDs that are SEDs (self encrypting devices/drives). E.g. Seagate's Entersprise / Constellation series had models that offered SED functions. There was a normal one (SATA or SAS) and for each also with encryption. (Don't ask me how you kick off that encryption actually and under Linux.)
          But: These drives may be liable to US-export regulations (because of US and crypto export laws from days long in the past), so I'm not sure if you can buy them elsewhere or if it is the same functionality. And: Usually this is also some blob ware. You don't know what it does and iirc. for some USB stick it was proven that there can be simple hacks to circumvent the security measures. I have no performance data for any of those but with dedicated ASICs there might me no palpable performance hit.

          I think ASICs like VIA Padlock, the Geode thing or the modern CPU instructions are probably still better for that case because they are likely more tested and researched. If you want real security you better add a second software-only solution on top.

          Stop TCPA, stupid software patents and corrupt politicians!

          Comment


          • #15
            Originally posted by debianxfce View Post
            Something is wrong in your computing environment if you need disk encryption and other overkill security features. Possible reasons are high 4G mobile network prices in the developing countries and a high crime rate.
            I don't really see what 4G network prices have to do with this. And even in countries with a relatively low crime rate there is still a risk of laptops or hard drives getting stolen or simply lost. If that happens, it's nice to have the peace of mind that your personal documents, emails, and other data aren't floating around out there. That's why I use it on my laptop.

            Comment


            • #16
              Originally posted by bosjc View Post
              Samsung PRO SSDs have built in (AES-256-bit I think). Depends on if you trust their hardware or not, though, I suppose. Having had it before, though, I can tell you there is basically no overhead at all.
              The builtin AES generates heat which can make the NVMe drives throttle faster, which leads to lower perf after a short burst. You'd definitely want to use a heat sink.

              Comment


              • #17
                Originally posted by AndyChow View Post
                And that's with aes-twofish-serpent software encryption, salted. To protect the data of my clients, this is nothing.
                Using multiple encryption techs simultaneously is bogus. Either use AES-256 for perf reasons or Serpent.

                Comment


                • #18
                  Originally posted by debianxfce View Post
                  Something is wrong in your computing environment if you need disk encryption and other overkill security features. Possible reasons are high 4G mobile network prices in the developing countries and a high crime rate.
                  Apparently debian & xfce users don't get it, some people sell their used hardware or their stuff gets stolen. Encryption is a no-brainer these days. If you can't afford Serpent, use AES-128 or AES XTS 256. Modern systems encrypt 3 GB/s or more. Especially recommended for spinning rust drives aaand even more so for SMR drives which are slow anyways.

                  Comment


                  • #19
                    Originally posted by caligula View Post
                    Using multiple encryption techs simultaneously is bogus. Either use AES-256 for perf reasons or Serpent.
                    using more than one cipher can protect you when a new attack is discovered about a single cipher (like the DES story)

                    Comment


                    • #20
                      Originally posted by trek View Post

                      using more than one cipher can protect you when a new attack is discovered about a single cipher (like the DES story)
                      DES is a sad story. NSA was interfering with the project and suggested a short key size. DES is also over 40 years old now. AES was published 20 years ago. Today there are hardly any effective ways to break it. AFAIK the AES-NI instructions and such help with the side channel timing attacks. Sure, go ahead and use multiple ciphers if you feel like it. Many commercial NAS boxes only support AES-128. Funny how some guys need three 256-bit ciphers for their private porn collection while others run small businesses with just reliance on AES-128 and a closed source firmware, maybe with some additional limitations related to password length and character set.

                      Comment

                      Working...
                      X