-
Notifications
You must be signed in to change notification settings - Fork 257
Performance Comparison
Here is a quick benchmark to test both file and device encryption methods.
$ cat /proc/cpuinfo
[...]
model name : Intel(R) Core(TM) i7-4770S CPU @ 3.10GHz
[...]
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm xsaveopt dtherm ida arat pln pts
Sandisk Extreme SSD 480GB, SDSSDX480GG25, R211, max UDMA/133
GUI used to setup an encrypted device/partition with AES+SHA512 (instead of default RIPEMD-160). ext4 filesystem used as well.
https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt https://gitlab.com/cryptsetup/cryptsetup/
cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sdc1
cryptsetup luksOpen /dev/sdc1 testme
mkfs.ext4 /dev/mapper/testme
mount /dev/mapper/testme /mnt/testme
https://github.com/rfjakob/gocryptfs
Later versions of GO make use of the AES-NI instructions, providing a significant performance boost.
gocryptfs -init /mnt/testme/enc
gocryptfs -openssl=false/true /mnt/testme/enc /mnt/testme/plain
https://vgough.github.io/encfs/
encfs /mnt/testme/enc /mnt/testme/plain
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?>
Standard configuration selected.
Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 4:0:2
Key Size: 192 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File holes passed through to ciphertext.
Closer to gocryptfs security features.
encfs /mnt/testme/enc /mnt/testme/plain
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?> p
Paranoia configuration selected.
Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 4:0:2
Key Size: 256 bits
Block Size: 1024 bytes, including 8 byte MAC header
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File data IV is chained to filename IV.
File holes passed through to ciphertext.
-------------------------- WARNING --------------------------
The external initialization-vector chaining option has been
enabled. This option disables the use of hard links on the
filesystem. Without hard links, some programs may not work.
The programs 'mutt' and 'procmail' are known to fail. For
more information, please see the encfs mailing list.
If you would like to choose another configuration setting,
please press CTRL-C now to abort and start over.
https://github.com/netheril96/securefs
./securefs create /mnt/testme/enc
./securefs mount /mnt/testme/enc /mnt/testme/plain
Running on ArchLinux. ext4 filesystem has been used in all cases.
Following script has been used. Encrypted storage is manualy mounted prior to executing the script.
#!/bin/bash
set -eu
TIME="/usr/bin/time -f %e"
# Setup
cd /mnt/testme
wget -nv --show-progress -c https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.0.tar.gz
cd $DIR2
sync
# Benchmarks
echo -n "WRITE: "
$TIME dd if=/dev/zero of=zero bs=128K count=1000 2>&1 | tail -n 1
$TIME sync
rm zero
sync
sleep 1
echo -n "UNTAR: "
$TIME tar xzf ../linux-3.0.tar.gz
$TIME sync
sleep 1
echo -n "LS: "
$TIME ls -lR linux-3.0 > /dev/null
$TIME sync
sleep 1
echo -n "RM: "
$TIME rm -Rf linux-3.0
$TIME sync
Time found in the table is the total time including the time to sync the filesystem and is expressed in seconds.
Tool | Write 0's | Untar | ls | rm |
---|---|---|---|---|
no encryption | 0.28 | 3.25 | 0.15 | 0.36 |
truecrypt (AES/SHA512) | 0.5 | 4.26 | 0.17 | 0.35 |
cryptsetup | 0.54 | 4.24 | 0.18 | 0.38 |
gocryptfs (openssl=false) | 1.01 | 9.73 | 0.81 | 2.37 |
gocryptfs (openssl=true) | 1.18 | 11.7 | 0.82 | 2.36 |
encfs (standard mode) | 1.1 | 10.25 | 1.36 | 2.06 |
encfs (paranoia mode) | 1.67 | 11.96 | 1.37 | 2.07 |
securefs | 0.84 | 27.73 | 5.58 | 2.43 |