Do you have a netbook, laptop, desktop or a server which uses dm-crypt to encrypt data on your disks? If yes, you will probably find that raw hard disk performance is better than encrypted disk performance. You will notice that especially on slow machines (i.e. netbooks), but also high-performance servers, because of the current dm-crypt design.
What cipher in the Linux kernel provides you with the best performance?
Currently, dm-crypt in the Linux kernel suffers from at least one performance-wise flaw: it is not SMP aware. This means, even if you have several CPUs in your machine, only one processor will be used to encrypt/decrypt data (ed. 31-May-2010: there was a patch posted today to make dm-crypt scale to multiple CPUs).
With moderately fast disks and RAID arrays in a server, you will hit a a limit where one processor is not able to encrypt/decrypt data fast enough. With netbooks and slow CPUs, and probably fast SSD disks, you will hit this limit even earlier.
Here is a list of different ciphers and throughput they delivered, when reading from a given device linearly.
The tests were made on a Celeron 2.93GHz CPU with Seagate Barracuda 7200.11 SATA 3Gb/s 1.5-TB ST31500341AS disks. Raw linear speed of these disks was about 105 MB/s.
What performance could different ciphers deliver on this machine? Note that you have to consider security implications / encryption strength yourself when using custom encryption schemes (i.e. using -essiv instead of -plain on similar hardware will usually decrease the performance by about 10 MB/s, but your encryption should be “harder to crack”).
Default parameters for creating an encrypted device are:
cryptsetup luksFormat /dev/$DEVICE
You can add options like:
cryptsetup luksFormat -c cast5-cbc-plain -s 128 /dev/$DEVICE
To open an encrypted device:
cryptsetup luksOpen /dev/$DEVICE $SOMENAME
You will have a new block device in /dev/mapper/$SOMENAME, which you can i.e. use for a filesystem
To close the encrypted device:
cryptsetup luksClose $SOMENAME
Below, the results:
-c tnepres 20.1 MB/s
-c serpent 20.4 MB/s
-c seed-ecb-plain -s 256 20.5 MB/s
-c fcrypt-pcbc-plain -s 64 30.4 MB/s
-c khazad-ecb-plain -s 128 31.7 MB/s
-c xtea-ecb-plain -s 128 32.0 MB/s
-c arc4 32.1 MB/s
-c xeta-ecb-plain -s 128 32.1 MB/s
-c twofish 34.2 MB/s
-c anubis-cbc-plain -s 256 37.5 MB/s
-c anubis -s 256 37.8 MB/s
-c tea-ecb-plain -s 128 38.1 MB/s
-c anubis-ecb-plain -s 256 39.6 MB/s
-c cast6-cbc-plain -s 256 40.0 MB/s
-c cast6 40.7 MB/s
-c des-ecb-plain -s 64 42.0 MB/s
-c camellia -s 256 42.2 MB/s
-c anubis -s 128 46.4 MB/s
-c anubis-cbc-plain -s 128 47.5 MB/s
-c anubis-ecb-plain -s 128 49.4 MB/s
-c cast5-cbc-plain -s 128 50.2 MB/s
-c camellia -s 128 51.4 MB/s
-c aes -s 256 55.9 MB/s
-c aes-cbc-plain -s 256 56.4 MB/s
-c aes-cbc-benbi -s 256 56.7 MB/s
-c aes-cbc-null -s 256 57.0 MB/s
-c blowfish 57.2 MB/s
-c aes-ecb-benbi -s 256 58.8 MB/s
-c aes-ecb-null -s 256 59.5 MB/s
-c aes-ecb-plain -s 256 60.3 MB/s
-c blowfish-ecb-plain 61.4 MB/s
-c aes-xts-plain -s 256 61.6 MB/s
-c aes-lrw-plain -s 256 62.8 MB/s
-c aes-cbc-plain -s 128 66.8 MB/s
-c aes-ctr-plain -s 128 67.0 MB/s
-c aes-cbc-null -s 128 67.1 MB/s
-c aes-cbc-benbi -s 128 67.4 MB/s
-c aes -s 128 67.5 MB/s
-c aes-ecb-plain -s 128 71.0 MB/s
-c aes-ecb-benbi -s 128 71.2 MB/s
-c aes-ecb-null -s 128 71.5 MB/s
The benchmarks were made with dd (bs=64k, 3 GB read), repeated several times; caches were dropped before each test.