Data access speed in LUKS encrypted partition












1














In Linux (Fedora 28) I have my home directory LUKS encryped, when using Gnome Disk (screenshot), I can benchmark separately the underlying LUKS partition (upper blue rectangle) and the decrypted home partition (lower white rectanble).



The LUKS partition gives an access time of 500MB/s, but the decryped acces gives 350MB/s. To be clear this is the same partition a 500GB SSD.



Is it fair to conclude that encryption is slowing down data access by 30% ( = 150/500)?



Is this type of number documented or I am doing some thing wrong.
This is much more slowdown that I was expecting.



screenshotdisks




EDIT: This is my output for



$ cryptsetup benchmark

# Tests are approximate using memory only (no storage IO).

PBKDF2-sha1       384375 iterations per second for 256-bit key

PBKDF2-sha256     494611 iterations per second for 256-bit key

PBKDF2-sha512     323634 iterations per second for 256-bit key

PBKDF2-ripemd160  293225 iterations per second for 256-bit key

PBKDF2-whirlpool  185917 iterations per second for 256-bit key

argon2i       4 iterations, 748334 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)

argon2id      4 iterations, 745443 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)

#     Algorithm |       Key |      Encryption |      Decryption

        aes-cbc        128b       195.0 MiB/s       664.0 MiB/s

    serpent-cbc        128b        28.8 MiB/s        94.7 MiB/s

    twofish-cbc        128b        58.8 MiB/s       111.6 MiB/s

        aes-cbc        256b       146.5 MiB/s       507.3 MiB/s

    serpent-cbc        256b        33.3 MiB/s       110.2 MiB/s

    twofish-cbc        256b        59.3 MiB/s       123.6 MiB/s

        aes-xts        256b       433.7 MiB/s       416.8 MiB/s

    serpent-xts        256b       101.0 MiB/s        94.7 MiB/s

    twofish-xts        256b       111.8 MiB/s       110.3 MiB/s

        aes-xts        512b       349.5 MiB/s       356.6 MiB/s

    serpent-xts        512b       101.6 MiB/s        96.0 MiB/s

    twofish-xts        512b       111.2 MiB/s       108.1 MiB/s





$ lscpu | grep aes

Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge 

mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall

 nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology

 nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est 

tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer

 aes xsave avx f16c rdrand lahf_lm cpuid_fault epb pti ssbd ibrs ibpb stibp

 tpr_shadow vnmi flexpriority ept vpid fsgsbase smep erms xsaveopt dtherm 

ida arat pln pts flush_l1d



NOTE: this question is crossposted here: https://ask.fedoraproject.org/en/question/130463/how-to-activate-the-aes-module-cpu-decryptor/






linux partitioning ssd encryption luks







share|improve this question




















  • 1




    Does your CPU support AES-NI or equivalent? Can you check cryptsetup benchmark?
    – grawity
    Dec 9 at 23:44






  • 1




    Yes, it's a fair conclusion.
    – davidgo
    Dec 10 at 0:13










  • @grawity, I don't know, how can I find out? do you think there is a better way to tune the disk encryption for a given CPU (mine is Intel® Core™ i7-3612QM CPU @ 2.10GHz × 8 Intel® Ivybridge Mobile). I edited my question with the output of cryptsetup benchmark.
    – alfC
    Dec 10 at 1:26






  • 1




    Run lscpu | grep aes, additionally lsmod | grep aes and just in case modinfo aesni_intel. According to Intel ARK it should be supported, but on your benchmark it doesn't show.
    – grawity
    Dec 10 at 5:51












  • lscpu | grep aes shows aes (see the edit in my question). lsmod | grep aes shows nothing. modinfo easni_intel gives modinfo: ERROR: Module aesni_intel not found.
    – alfC
    Dec 10 at 7:06
















1














In Linux (Fedora 28) I have my home directory LUKS encryped, when using Gnome Disk (screenshot), I can benchmark separately the underlying LUKS partition (upper blue rectangle) and the decrypted home partition (lower white rectanble).



The LUKS partition gives an access time of 500MB/s, but the decryped acces gives 350MB/s. To be clear this is the same partition a 500GB SSD.



Is it fair to conclude that encryption is slowing down data access by 30% ( = 150/500)?



Is this type of number documented or I am doing some thing wrong.
This is much more slowdown that I was expecting.



screenshotdisks




EDIT: This is my output for



$ cryptsetup benchmark

# Tests are approximate using memory only (no storage IO).

PBKDF2-sha1       384375 iterations per second for 256-bit key

PBKDF2-sha256     494611 iterations per second for 256-bit key

PBKDF2-sha512     323634 iterations per second for 256-bit key

PBKDF2-ripemd160  293225 iterations per second for 256-bit key

PBKDF2-whirlpool  185917 iterations per second for 256-bit key

argon2i       4 iterations, 748334 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)

argon2id      4 iterations, 745443 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)

#     Algorithm |       Key |      Encryption |      Decryption

        aes-cbc        128b       195.0 MiB/s       664.0 MiB/s

    serpent-cbc        128b        28.8 MiB/s        94.7 MiB/s

    twofish-cbc        128b        58.8 MiB/s       111.6 MiB/s

        aes-cbc        256b       146.5 MiB/s       507.3 MiB/s

    serpent-cbc        256b        33.3 MiB/s       110.2 MiB/s

    twofish-cbc        256b        59.3 MiB/s       123.6 MiB/s

        aes-xts        256b       433.7 MiB/s       416.8 MiB/s

    serpent-xts        256b       101.0 MiB/s        94.7 MiB/s

    twofish-xts        256b       111.8 MiB/s       110.3 MiB/s

        aes-xts        512b       349.5 MiB/s       356.6 MiB/s

    serpent-xts        512b       101.6 MiB/s        96.0 MiB/s

    twofish-xts        512b       111.2 MiB/s       108.1 MiB/s





$ lscpu | grep aes

Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge 

mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall

 nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology

 nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est 

tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer

 aes xsave avx f16c rdrand lahf_lm cpuid_fault epb pti ssbd ibrs ibpb stibp

 tpr_shadow vnmi flexpriority ept vpid fsgsbase smep erms xsaveopt dtherm 

ida arat pln pts flush_l1d



NOTE: this question is crossposted here: https://ask.fedoraproject.org/en/question/130463/how-to-activate-the-aes-module-cpu-decryptor/






linux partitioning ssd encryption luks







share|improve this question




















  • 1




    Does your CPU support AES-NI or equivalent? Can you check cryptsetup benchmark?
    – grawity
    Dec 9 at 23:44






  • 1




    Yes, it's a fair conclusion.
    – davidgo
    Dec 10 at 0:13










  • @grawity, I don't know, how can I find out? do you think there is a better way to tune the disk encryption for a given CPU (mine is Intel® Core™ i7-3612QM CPU @ 2.10GHz × 8 Intel® Ivybridge Mobile). I edited my question with the output of cryptsetup benchmark.
    – alfC
    Dec 10 at 1:26






  • 1




    Run lscpu | grep aes, additionally lsmod | grep aes and just in case modinfo aesni_intel. According to Intel ARK it should be supported, but on your benchmark it doesn't show.
    – grawity
    Dec 10 at 5:51












  • lscpu | grep aes shows aes (see the edit in my question). lsmod | grep aes shows nothing. modinfo easni_intel gives modinfo: ERROR: Module aesni_intel not found.
    – alfC
    Dec 10 at 7:06














1












1








1


1





In Linux (Fedora 28) I have my home directory LUKS encryped, when using Gnome Disk (screenshot), I can benchmark separately the underlying LUKS partition (upper blue rectangle) and the decrypted home partition (lower white rectanble).



The LUKS partition gives an access time of 500MB/s, but the decryped acces gives 350MB/s. To be clear this is the same partition a 500GB SSD.



Is it fair to conclude that encryption is slowing down data access by 30% ( = 150/500)?



Is this type of number documented or I am doing some thing wrong.
This is much more slowdown that I was expecting.



screenshotdisks




EDIT: This is my output for



$ cryptsetup benchmark

# Tests are approximate using memory only (no storage IO).

PBKDF2-sha1       384375 iterations per second for 256-bit key

PBKDF2-sha256     494611 iterations per second for 256-bit key

PBKDF2-sha512     323634 iterations per second for 256-bit key

PBKDF2-ripemd160  293225 iterations per second for 256-bit key

PBKDF2-whirlpool  185917 iterations per second for 256-bit key

argon2i       4 iterations, 748334 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)

argon2id      4 iterations, 745443 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)

#     Algorithm |       Key |      Encryption |      Decryption

        aes-cbc        128b       195.0 MiB/s       664.0 MiB/s

    serpent-cbc        128b        28.8 MiB/s        94.7 MiB/s

    twofish-cbc        128b        58.8 MiB/s       111.6 MiB/s

        aes-cbc        256b       146.5 MiB/s       507.3 MiB/s

    serpent-cbc        256b        33.3 MiB/s       110.2 MiB/s

    twofish-cbc        256b        59.3 MiB/s       123.6 MiB/s

        aes-xts        256b       433.7 MiB/s       416.8 MiB/s

    serpent-xts        256b       101.0 MiB/s        94.7 MiB/s

    twofish-xts        256b       111.8 MiB/s       110.3 MiB/s

        aes-xts        512b       349.5 MiB/s       356.6 MiB/s

    serpent-xts        512b       101.6 MiB/s        96.0 MiB/s

    twofish-xts        512b       111.2 MiB/s       108.1 MiB/s





$ lscpu | grep aes

Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge 

mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall

 nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology

 nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est 

tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer

 aes xsave avx f16c rdrand lahf_lm cpuid_fault epb pti ssbd ibrs ibpb stibp

 tpr_shadow vnmi flexpriority ept vpid fsgsbase smep erms xsaveopt dtherm 

ida arat pln pts flush_l1d



NOTE: this question is crossposted here: https://ask.fedoraproject.org/en/question/130463/how-to-activate-the-aes-module-cpu-decryptor/






linux partitioning ssd encryption luks







share|improve this question















In Linux (Fedora 28) I have my home directory LUKS encryped, when using Gnome Disk (screenshot), I can benchmark separately the underlying LUKS partition (upper blue rectangle) and the decrypted home partition (lower white rectanble).



The LUKS partition gives an access time of 500MB/s, but the decryped acces gives 350MB/s. To be clear this is the same partition a 500GB SSD.



Is it fair to conclude that encryption is slowing down data access by 30% ( = 150/500)?



Is this type of number documented or I am doing some thing wrong.
This is much more slowdown that I was expecting.



screenshotdisks




EDIT: This is my output for



$ cryptsetup benchmark

# Tests are approximate using memory only (no storage IO).

PBKDF2-sha1       384375 iterations per second for 256-bit key

PBKDF2-sha256     494611 iterations per second for 256-bit key

PBKDF2-sha512     323634 iterations per second for 256-bit key

PBKDF2-ripemd160  293225 iterations per second for 256-bit key

PBKDF2-whirlpool  185917 iterations per second for 256-bit key

argon2i       4 iterations, 748334 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)

argon2id      4 iterations, 745443 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)

#     Algorithm |       Key |      Encryption |      Decryption

        aes-cbc        128b       195.0 MiB/s       664.0 MiB/s

    serpent-cbc        128b        28.8 MiB/s        94.7 MiB/s

    twofish-cbc        128b        58.8 MiB/s       111.6 MiB/s

        aes-cbc        256b       146.5 MiB/s       507.3 MiB/s

    serpent-cbc        256b        33.3 MiB/s       110.2 MiB/s

    twofish-cbc        256b        59.3 MiB/s       123.6 MiB/s

        aes-xts        256b       433.7 MiB/s       416.8 MiB/s

    serpent-xts        256b       101.0 MiB/s        94.7 MiB/s

    twofish-xts        256b       111.8 MiB/s       110.3 MiB/s

        aes-xts        512b       349.5 MiB/s       356.6 MiB/s

    serpent-xts        512b       101.6 MiB/s        96.0 MiB/s

    twofish-xts        512b       111.2 MiB/s       108.1 MiB/s





$ lscpu | grep aes

Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge 

mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall

 nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology

 nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est 

tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer

 aes xsave avx f16c rdrand lahf_lm cpuid_fault epb pti ssbd ibrs ibpb stibp

 tpr_shadow vnmi flexpriority ept vpid fsgsbase smep erms xsaveopt dtherm 

ida arat pln pts flush_l1d



NOTE: this question is crossposted here: https://ask.fedoraproject.org/en/question/130463/how-to-activate-the-aes-module-cpu-decryptor/






linux partitioning ssd encryption luks




linux partitioning ssd encryption luks






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 10 at 7:19

























asked Dec 9 at 23:24









alfC

23626




23626








  • 1




    Does your CPU support AES-NI or equivalent? Can you check cryptsetup benchmark?
    – grawity
    Dec 9 at 23:44






  • 1




    Yes, it's a fair conclusion.
    – davidgo
    Dec 10 at 0:13










  • @grawity, I don't know, how can I find out? do you think there is a better way to tune the disk encryption for a given CPU (mine is Intel® Core™ i7-3612QM CPU @ 2.10GHz × 8 Intel® Ivybridge Mobile). I edited my question with the output of cryptsetup benchmark.
    – alfC
    Dec 10 at 1:26






  • 1




    Run lscpu | grep aes, additionally lsmod | grep aes and just in case modinfo aesni_intel. According to Intel ARK it should be supported, but on your benchmark it doesn't show.
    – grawity
    Dec 10 at 5:51












  • lscpu | grep aes shows aes (see the edit in my question). lsmod | grep aes shows nothing. modinfo easni_intel gives modinfo: ERROR: Module aesni_intel not found.
    – alfC
    Dec 10 at 7:06














  • 1




    Does your CPU support AES-NI or equivalent? Can you check cryptsetup benchmark?
    – grawity
    Dec 9 at 23:44






  • 1




    Yes, it's a fair conclusion.
    – davidgo
    Dec 10 at 0:13










  • @grawity, I don't know, how can I find out? do you think there is a better way to tune the disk encryption for a given CPU (mine is Intel® Core™ i7-3612QM CPU @ 2.10GHz × 8 Intel® Ivybridge Mobile). I edited my question with the output of cryptsetup benchmark.
    – alfC
    Dec 10 at 1:26






  • 1




    Run lscpu | grep aes, additionally lsmod | grep aes and just in case modinfo aesni_intel. According to Intel ARK it should be supported, but on your benchmark it doesn't show.
    – grawity
    Dec 10 at 5:51












  • lscpu | grep aes shows aes (see the edit in my question). lsmod | grep aes shows nothing. modinfo easni_intel gives modinfo: ERROR: Module aesni_intel not found.
    – alfC
    Dec 10 at 7:06








1




1




Does your CPU support AES-NI or equivalent? Can you check cryptsetup benchmark?
– grawity
Dec 9 at 23:44




Does your CPU support AES-NI or equivalent? Can you check cryptsetup benchmark?
– grawity
Dec 9 at 23:44




1




1




Yes, it's a fair conclusion.
– davidgo
Dec 10 at 0:13




Yes, it's a fair conclusion.
– davidgo
Dec 10 at 0:13












@grawity, I don't know, how can I find out? do you think there is a better way to tune the disk encryption for a given CPU (mine is Intel® Core™ i7-3612QM CPU @ 2.10GHz × 8 Intel® Ivybridge Mobile). I edited my question with the output of cryptsetup benchmark.
– alfC
Dec 10 at 1:26




@grawity, I don't know, how can I find out? do you think there is a better way to tune the disk encryption for a given CPU (mine is Intel® Core™ i7-3612QM CPU @ 2.10GHz × 8 Intel® Ivybridge Mobile). I edited my question with the output of cryptsetup benchmark.
– alfC
Dec 10 at 1:26




1




1




Run lscpu | grep aes, additionally lsmod | grep aes and just in case modinfo aesni_intel. According to Intel ARK it should be supported, but on your benchmark it doesn't show.
– grawity
Dec 10 at 5:51






Run lscpu | grep aes, additionally lsmod | grep aes and just in case modinfo aesni_intel. According to Intel ARK it should be supported, but on your benchmark it doesn't show.
– grawity
Dec 10 at 5:51














lscpu | grep aes shows aes (see the edit in my question). lsmod | grep aes shows nothing. modinfo easni_intel gives modinfo: ERROR: Module aesni_intel not found.
– alfC
Dec 10 at 7:06




lscpu | grep aes shows aes (see the edit in my question). lsmod | grep aes shows nothing. modinfo easni_intel gives modinfo: ERROR: Module aesni_intel not found.
– alfC
Dec 10 at 7:06










1 Answer
1






active

oldest

votes


















1














Encryption adds extra CPU load, as each disk block needs to be decrypted by the OS on access. Your test results (~600 MB/s decryption) are fairly average for generic AES processing on an i7.



To avoid this issue, modern CPUs generally come with hardware-based AES support built in. Intel calls this feature "AES-NI" (shown in lscpu as "aes"), and it allows reaching 2–3 GB/s rates for the same AES decryption.



First run lscpu and check whether it mentions "aes" among feature flags. The Intel ARK shows it as present in your CPU model, but it may be disabled by firmware (BIOS) settings. (The ARK has a footnote: "Some products can support AES New Instructions with a Processor Configuration update … Please contact OEM for the BIOS that includes the latest Processor configuration update.")



Linux uses the "aesni_intel" module to enable hardware acceleration. Check whether it's enabled in your kernel at all by running zgrep AES_NI_INTEL /proc/config.gz. If it shows "=y", it's part of the main kernel image and should be available.



If the output shows "=m", it's been compiled as a module – try to load the module manually by running sudo modprobe -v aesni_intel. If the command is unable to find the module, you probably have to reboot. (After reboot, make sure uname -r shows the same kernel version as in ls /lib/modules.)






share|improve this answer























  • lscpu shows a aes entry. zgrep AES_NI_INTEL /proc/config.gz gives gzip: /proc/config.gz: No such file or directory. sudo modprobe -v aesni_intel (after password) shows no output and the speed test still give the same results. lsmod | grep aes gives no output and modinfo aesni_intel gives modinfo: ERROR: Module aesni_intel not found. Now I am curious why my Fedora doesn't seem to have this.
    – alfC
    Dec 10 at 7:11











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1382197%2fdata-access-speed-in-luks-encrypted-partition%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














Encryption adds extra CPU load, as each disk block needs to be decrypted by the OS on access. Your test results (~600 MB/s decryption) are fairly average for generic AES processing on an i7.



To avoid this issue, modern CPUs generally come with hardware-based AES support built in. Intel calls this feature "AES-NI" (shown in lscpu as "aes"), and it allows reaching 2–3 GB/s rates for the same AES decryption.



First run lscpu and check whether it mentions "aes" among feature flags. The Intel ARK shows it as present in your CPU model, but it may be disabled by firmware (BIOS) settings. (The ARK has a footnote: "Some products can support AES New Instructions with a Processor Configuration update … Please contact OEM for the BIOS that includes the latest Processor configuration update.")



Linux uses the "aesni_intel" module to enable hardware acceleration. Check whether it's enabled in your kernel at all by running zgrep AES_NI_INTEL /proc/config.gz. If it shows "=y", it's part of the main kernel image and should be available.



If the output shows "=m", it's been compiled as a module – try to load the module manually by running sudo modprobe -v aesni_intel. If the command is unable to find the module, you probably have to reboot. (After reboot, make sure uname -r shows the same kernel version as in ls /lib/modules.)






share|improve this answer























  • lscpu shows a aes entry. zgrep AES_NI_INTEL /proc/config.gz gives gzip: /proc/config.gz: No such file or directory. sudo modprobe -v aesni_intel (after password) shows no output and the speed test still give the same results. lsmod | grep aes gives no output and modinfo aesni_intel gives modinfo: ERROR: Module aesni_intel not found. Now I am curious why my Fedora doesn't seem to have this.
    – alfC
    Dec 10 at 7:11
















1














Encryption adds extra CPU load, as each disk block needs to be decrypted by the OS on access. Your test results (~600 MB/s decryption) are fairly average for generic AES processing on an i7.



To avoid this issue, modern CPUs generally come with hardware-based AES support built in. Intel calls this feature "AES-NI" (shown in lscpu as "aes"), and it allows reaching 2–3 GB/s rates for the same AES decryption.



First run lscpu and check whether it mentions "aes" among feature flags. The Intel ARK shows it as present in your CPU model, but it may be disabled by firmware (BIOS) settings. (The ARK has a footnote: "Some products can support AES New Instructions with a Processor Configuration update … Please contact OEM for the BIOS that includes the latest Processor configuration update.")



Linux uses the "aesni_intel" module to enable hardware acceleration. Check whether it's enabled in your kernel at all by running zgrep AES_NI_INTEL /proc/config.gz. If it shows "=y", it's part of the main kernel image and should be available.



If the output shows "=m", it's been compiled as a module – try to load the module manually by running sudo modprobe -v aesni_intel. If the command is unable to find the module, you probably have to reboot. (After reboot, make sure uname -r shows the same kernel version as in ls /lib/modules.)






share|improve this answer























  • lscpu shows a aes entry. zgrep AES_NI_INTEL /proc/config.gz gives gzip: /proc/config.gz: No such file or directory. sudo modprobe -v aesni_intel (after password) shows no output and the speed test still give the same results. lsmod | grep aes gives no output and modinfo aesni_intel gives modinfo: ERROR: Module aesni_intel not found. Now I am curious why my Fedora doesn't seem to have this.
    – alfC
    Dec 10 at 7:11














1












1








1






Encryption adds extra CPU load, as each disk block needs to be decrypted by the OS on access. Your test results (~600 MB/s decryption) are fairly average for generic AES processing on an i7.



To avoid this issue, modern CPUs generally come with hardware-based AES support built in. Intel calls this feature "AES-NI" (shown in lscpu as "aes"), and it allows reaching 2–3 GB/s rates for the same AES decryption.



First run lscpu and check whether it mentions "aes" among feature flags. The Intel ARK shows it as present in your CPU model, but it may be disabled by firmware (BIOS) settings. (The ARK has a footnote: "Some products can support AES New Instructions with a Processor Configuration update … Please contact OEM for the BIOS that includes the latest Processor configuration update.")



Linux uses the "aesni_intel" module to enable hardware acceleration. Check whether it's enabled in your kernel at all by running zgrep AES_NI_INTEL /proc/config.gz. If it shows "=y", it's part of the main kernel image and should be available.



If the output shows "=m", it's been compiled as a module – try to load the module manually by running sudo modprobe -v aesni_intel. If the command is unable to find the module, you probably have to reboot. (After reboot, make sure uname -r shows the same kernel version as in ls /lib/modules.)






share|improve this answer














Encryption adds extra CPU load, as each disk block needs to be decrypted by the OS on access. Your test results (~600 MB/s decryption) are fairly average for generic AES processing on an i7.



To avoid this issue, modern CPUs generally come with hardware-based AES support built in. Intel calls this feature "AES-NI" (shown in lscpu as "aes"), and it allows reaching 2–3 GB/s rates for the same AES decryption.



First run lscpu and check whether it mentions "aes" among feature flags. The Intel ARK shows it as present in your CPU model, but it may be disabled by firmware (BIOS) settings. (The ARK has a footnote: "Some products can support AES New Instructions with a Processor Configuration update … Please contact OEM for the BIOS that includes the latest Processor configuration update.")



Linux uses the "aesni_intel" module to enable hardware acceleration. Check whether it's enabled in your kernel at all by running zgrep AES_NI_INTEL /proc/config.gz. If it shows "=y", it's part of the main kernel image and should be available.



If the output shows "=m", it's been compiled as a module – try to load the module manually by running sudo modprobe -v aesni_intel. If the command is unable to find the module, you probably have to reboot. (After reboot, make sure uname -r shows the same kernel version as in ls /lib/modules.)







share|improve this answer














share|improve this answer



share|improve this answer








edited Dec 10 at 7:11

























answered Dec 10 at 6:22









grawity

231k35486544




231k35486544












  • lscpu shows a aes entry. zgrep AES_NI_INTEL /proc/config.gz gives gzip: /proc/config.gz: No such file or directory. sudo modprobe -v aesni_intel (after password) shows no output and the speed test still give the same results. lsmod | grep aes gives no output and modinfo aesni_intel gives modinfo: ERROR: Module aesni_intel not found. Now I am curious why my Fedora doesn't seem to have this.
    – alfC
    Dec 10 at 7:11


















  • lscpu shows a aes entry. zgrep AES_NI_INTEL /proc/config.gz gives gzip: /proc/config.gz: No such file or directory. sudo modprobe -v aesni_intel (after password) shows no output and the speed test still give the same results. lsmod | grep aes gives no output and modinfo aesni_intel gives modinfo: ERROR: Module aesni_intel not found. Now I am curious why my Fedora doesn't seem to have this.
    – alfC
    Dec 10 at 7:11
















lscpu shows a aes entry. zgrep AES_NI_INTEL /proc/config.gz gives gzip: /proc/config.gz: No such file or directory. sudo modprobe -v aesni_intel (after password) shows no output and the speed test still give the same results. lsmod | grep aes gives no output and modinfo aesni_intel gives modinfo: ERROR: Module aesni_intel not found. Now I am curious why my Fedora doesn't seem to have this.
– alfC
Dec 10 at 7:11




lscpu shows a aes entry. zgrep AES_NI_INTEL /proc/config.gz gives gzip: /proc/config.gz: No such file or directory. sudo modprobe -v aesni_intel (after password) shows no output and the speed test still give the same results. lsmod | grep aes gives no output and modinfo aesni_intel gives modinfo: ERROR: Module aesni_intel not found. Now I am curious why my Fedora doesn't seem to have this.
– alfC
Dec 10 at 7:11


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1382197%2fdata-access-speed-in-luks-encrypted-partition%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Aardman Animations

Image
Aardman Animations, Ltd. Aardman Animations Tipo privada Atividade Animação em stop-motion , Animação em CGI Fundação 1972 Fundador(es) Peter Lord David Sproxton Sede Bristol, Inglaterra  Reino Unido Proprietário(s) Dreamworks Pessoas-chave Peter Lord David Sproxton Nick Park Divisões Aardman Features Aardman Digital Aardman Commercials Aardman Broadcast Aardman International Aardman Rights Aardman Effects Aardman 3-D Systems Aardman Nathan Love AardBoiled Website oficial aardman.com
Read more

Are they similar matrix

Image
0 $begingroup$ Do $begin{bmatrix} 0&i&0\0&0&1\0&0&0 end{bmatrix} $ and $begin{bmatrix} 0&0&0\-i&0&0\0&1&0 end{bmatrix} $ are similar.Is this True/false Clearly both are nilpotent and one is conjucate transpose of other but how to know if they are similar.i'm stuck. Please help me linear-algebra vector-spaces eigenvalues-eigenvectors generalizedeigenvector share | cite | improve this question edited Dec 10 '18 at 6:38 Vasanth Kris asked Dec 10 '18 at 6:19
Read more

“minimization” problem in Euclidean space related to orthonormal basis

Image
3 $begingroup$ I have stumbled upon an exercice for second year undegraduate student majoring in economics which I find quite demanding. I have an idea for the solution, but it seems awfully complicated, and I am wondering if there was a simpler way to solve it. This goes as follows: Let $(E, langle, rangle)$ be a euclidean space of dimension $n geq 2$ . 1) For any $x in E$ , show that $||x|| = sqrt{n}$ if and only if there exists $(e_1, dots, e_n)$ an orthonormal basis of $E$ such that $x =e_1+ ldots + e_n$ . 2) For any $(x,y) in E$ , show that $||x|| = sqrt{n}$ , $||y|| = sqrt{frac{n(n+1)(2n+1)}{6}}$ and $langle x,y rangle = frac{n(n+1)}{2}$ if and only if there eixsts $(e_1, ldots, e_n)$ an orthonormal basis of $E$ such that $x = e_1 + ldots + e_n$ and $y = e_1 + 2e_2 + ldots + ne_n$ The first q
Read more