[Discuss] encrypted linux systems

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> bounces+blu=nedharvey.com at blu.org] On Behalf Of Stephen Adler
> 
> I've run across an interesting situation at where where I'm required to
> encrypt my desktop at home since it's owned by the government. Any
> advice on how to best setup an encrypted linux system? Preferably using
> some kind of encrypted hardware device which will not kill my disk IO
> rate?

If you enable encryption on your disk, it does not harm your IO rate.  I've measured, benchmarked, evaluated many configurations on many systems, and it comes down to this:

If you have a CPU which lacks the AES-NI instruction set, and you absolutely max out IO to a single disk, then it consumes about 30% cpu utilization on a single core, which means your performance is still limited by the disk IO and there is no measurable IO performance degradation.  You can stripe or mirror 3-4 disks into an aggregate unit, before you finally reach the computation limit on a single core.  I have not tested performance after you actually reach the limit of a single core - I suspect that some systems probably scale well to utilize multiple cores, and I suspect others do not.

If you *have* the AES-NI instruction set, then you get about 6x-10x faster encryption.  So, it would take around 18-40 disks all maxing out IO, before you are performance limited by your CPU.  

And in the typical situation, where you have only a single disk system, plus a CPU with AES-NI, you literally cannot measure the performance difference, nor the CPU overhead of performing the encryption.  Because the 3% or so CPU utilization falls into the noise, below the radar, along with "top" or whatever tool you're using to measure CPU utilization.