One of these days I’m hoping a diff turns up to enable encryption support in boot. I didn’t want to use a keydisk (100% chance the keydisk would be in the machine when it was stolen), so I only encrypted /home.
That was on an X200s, with a lowly 1.8 Core 2, and using an SSD made it way faster than the encryption overhead. If you only have a 24G drive, you don’t have enough space for files big enough to notice the performance hit. :) I’ve noticed hardware AES making a difference when writing out files ~1G in size, but below a 100M, never. Also, the buffer cache is kept decrypted, so it’s not like you have to decrypt /bin/ls every time you run it.
On the whole, good article. I’ve also been looking at the seagate momentus xt drives. 16GB of cache nand would be more than enough to cache my entire openbsd working set, but still let me carry a media collection around on the same drive.
I have two machines, one with keydisk and one with encrypted home. Using the keydisk has turned into a huge PITA.
The next time I rebuild my boxes, I will use only home encryption and a yubikey with both profiles set to static.
I need to look at the boot source code and see what could be done. Since boot now supports softraid RAID 1 without a separate partition for kernels, maybe that could be extended to add encryption support at boot as well as not needing a separate kernel partition.
That would be awesome :D
I would love to have encryption support in boot. I never take my keydisk out either which defeats the purpose. That’s good to know on the performance for files less than 1GB in size. That makes a lot of sense on the buffer cache as well.
I installed a 750GB Momentus XT for a relative and the difference from a regular 5400RPM laptop drive was staggering. It’s still not as good as an SSD but you get lots of storage for nothing compared to what an SSD would be. I bought the XT for ~$150 where my Crucial M4 512GB SSD was ~$400. Now the XT is as inexpensive as ~$130.
I’ll add some updates to the article to reflect the additional details. Thank you.
Have you used AES-NI for IPSEC purposes? Does it make much difference there either?
Not personally, but that’s why the code was added. There’s more CPU overhead just moving network packets back and forth, so you have less headroom. And tiny delays affect network traffic. Then again, are we talking about a home router on DSL or a gigabit corporate gateway?
Don’t get me wrong, AES-NI is wicked fast. I should clarify it’s not really file size, just amount of disk traffic that matters, but it’s rare (for me) to have a desktop need 100MB of uncached data read yesterday.
I see. I was basically thinking about the comparison between something like a Xeon E3 1220 (quad core 3.1GHz w/o HT but with AES-NI) and a Pentium G630 (dual core 2.7GHz w/HT but without AES-NI) for a firewall with a dozen IPSEC tunnels. There won’t be more than 50Mb/s of traffic initially but later there will be more.
The answer is always benchmark it. :) Depends on who’s paying, but if you anticipate growing, I’d say the xeon is justified.
Makes sense. I’ll have to start doing some benchmarking and see what happens. In this case, I’m paying and already have both sets of hardware. I’m just debating adding a second of which set. Thanks for your thoughts.