openssl with aes-in or padlock
Wojciech Puchar
wojtek at puchar.net
Thu Sep 11 21:33:34 UTC 2014
>> #openssl speed -evp aes-256-cbc
>
> First off, you won't get much speed up w/ CBC encrypt... Try testing
> using aes-256-ctr instead... CBC can't process multiple blocks in
> parallel like CTR can... if you measure the cbc _decrypt_ speed, you
> should see a big improvement as CBC decrypt can be parallelized...
>
>> in the same time dd from geli encrypted ramdisk to /dev/null is 66MB/s
>
> geli uses a different framework for it's crypto processing.. for geli,
> make sure you have the aesni kernel module loaded before you attach
> to a geli disk... You should get kernel messages like the following:
> GEOM_ELI: Device gpt/werner.eli created.
> GEOM_ELI: Encryption: AES-XTS 256
> GEOM_ELI: Crypto: hardware
yes i have this. contrary to what you say - both AES-XTC and AES-CBC gets
MUCH faster with AES-NI.
> notice the Crypto: hardware line.. Also, make sure that your geli
> sector size is 4k instead of 512... This reduces the loop overhead,
as i already said - geli works fast and make use of AES-NI or padlock
openssl does not
More information about the freebsd-hackers
mailing list