Authentication with geom_eli

Pawel Jakub Dawidek pjd at FreeBSD.org
Thu Jan 17 07:18:03 PST 2008 

On Thu, Jan 17, 2008 at 07:15:26AM -0700, Cyrus Rahman wrote:
> Here are some timings related to different encryption and
> authentication algorithms.  Although the authentication involves extra
> copying and additional data being written to disk, it is clear the
> algorithm is also quite significant.
> 
> The system is a quad processor Q6600 running at 2.4GHz with mid-range
> SATA disks.
> 
> Given the considerable performance hit and the fact that for most
> applications the only viable and useful authentication attacks I can
> think of would involve replay, which is not detected in the current
> implementation, I think there is a clear benefit to an algorithm like
> a CRC to provide data integrity at a lower cost.
> 
> But I also agree that the ideal place for a CRC style check would be
> in a separate geom layer.
> 
> Baseline:
> dd if=/dev/random of=/dev/mirror/gm0 bs=1m count=200
> 200+0 records in
> 200+0 records out
> 209715200 bytes transferred in 4.733112 secs (44308101 bytes/sec)
> 
> ***
> Varied encryption algorithms:
> geli init -P -e aes -l 256 -s 4096 -K key mirror/gm0
> dd if=/dev/random of=/dev/mirror/gm0.eli bs=1m count=200
> 209715200 bytes transferred in 7.336633 secs (28584666 bytes/sec)
> 
> geli init -P -e aes -l 128 -s 4096 -K key mirror/gm0
> 209715200 bytes transferred in 6.919852 secs (30306313 bytes/sec)
> 
> geli init -P -e blowfish -s 4096 -K key mirror/gm0
> 209715200 bytes transferred in 9.289385 secs (22575790 bytes/sec)
> 
> geli init -P -e camellia -s 4096 -K key mirror/gm0
> 209715200 bytes transferred in 8.384749 secs (25011506 bytes/sec)
> 
> geli init -P -e 3des -s 4096 -K key mirror/gm0
> 209715200 bytes transferred in 18.362226 secs (11421012 bytes/sec)
> 
> ***
> Varied authentication algorithms:
> geli init -P -e aes -l 256 -a hmac/sha512 -s 4096 -K key mirror/gm0
> 209715200 bytes transferred in 12.553233 secs (16706071 bytes/sec)
> 
> geli init -P -e aes -l 256 -a hmac/sha256 -s 4096 -K key mirror/gm0
> 209715200 bytes transferred in 12.487267 secs (16794323 bytes/sec)
> 
> geli init -P -e aes -l 256 -a hmac/sha1 -s 4096 -K key mirror/gm0
> 209715200 bytes transferred in 12.101804 secs (17329251 bytes/sec)
> 
> geli init -P -e aes -l 256 -a hmac/ripemd160 -s 4096 -K key mirror/gm0
> 209715200 bytes transferred in 11.301225 secs (18556856 bytes/sec)
> 
> geli init -P -e aes -l 256 -a hmac/md5 -s 4096 -K key mirror/gm0
> 209715200 bytes transferred in 10.345111 secs (20271914 bytes/sec)

Could you retry with /dev/zero instead of /dev/random and also try
'null' as encryption algorithm?

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-geom/attachments/20080117/ddac192c/attachment.pgp

More information about the freebsd-geom mailing list