Ubuntu – How will 12.10 disk encryption affect performance
12.10encryptionperformance
As the title suggests. Massive performance degradation?
And what technology does it use?
Best Answer
Depends on your hardware of course. Most important performance enhancement is using a CPU with AES-NI capabilities, provided by most of the recent Core i5/i7 processors and a kernel supporting it (most recent versions do). It's similar to video acceleration, but then for AES calculations.
Do a grep aes /proc/cpuinfo to see if your CPU is capable. If so, it will then be able to en/decrypt hundreds of megabytes a second without too much load; more than enough for most systems or a root filesystem. Provided your encryption software uses this (kernel interface). Using dm-crypt (Luks) does this for sure. This Arch Wiki article claims you should be able to do roughly 570 MB/s on a first-generation i7 CPU.
I haven't done real benchmarking, but I find almost no slowdown in doing a read-only benchmark using 'palimpsest' (Gnome Disk Utility) on my Intel 310 series 80GB SSD using dm-crypt (full disk) encryption enabled. A steady ~ 250 MB/s sequential reading all the way on an LVM LV (on top of dm-crypt).
See this Phoronix article for serious benchmarks of AES-NI and dm-crypt. An excerpt from that article:
While the Ubuntu home directory encryption feature with eCryptfs may
not be beneficial at this point with Intel AES-NI, full-disk
encryption with Intel AES-NI using dmcrypt is noticeably better.
Several of the benchmarks produced dramatically better results with
AES-NI while at the same time delivering lower CPU usage. AES-NI
appears to be a huge win if planning to encrypt your entire disk using
this feature found in Ubuntu's alternate installer.
This is a bit outdated now, and eCryptfs might not be suffering these slowdowns anymore.
So long story short, the only way an IOMMU will help you is if you start assigning HW resources directly to the VM. Just having it doesn't make things faster.
It would help to know exactly what Motherboard/CPU is advertising this feature.
IOMMU is a system specific IO mapping mechanism and can be used with most devices.
IOMMU sounds like a generic name for Intel VT-d and AMD IOV. In which case I don't
think you can multiplex devices, it's a lot like PCI passthrough before all these fancy virtualization instructions existed :). SR-IOV is different, the peripheral itself must carry the support. The HW knows it's being virtualized and can delegate a HW slice of itself to the VM. Many VMs can talk to an SR-IOV device concurrently with very low overhead.
The only thing faster than SR-IOV is PCI passthrough though in that case only one VM can make use of that device, not even the host operating system can use it. PCI passthrough would be useful for say a VM that runs an intense database that would benefit from being attached to a FiberChannel SAN.
Getting closer to the HW does have limitations however, it makes your VMs less portable for deployments that require live migration for example. This applies to both SR-IOV and PCI passthrough.
Default virtualized Linux deployments usually use VirtIO which is pretty fast to begin with.
Well in the past, encrypting the system would have a strong performance hit since all the I/O and processing that needed to be done between encryption and reading/writing to the disk. But since a couple of versions ago, the performance hit is less than 5%. I would even be so bold as to say it is less than 1% since, with some tested I did, the video performance, copy/paste, hdd benchmark and speed of boot were almost the same.
And since you are using Ubuntu 12.10, there is even less of a performance penalty.
As you can see the performance has gone up since 11.10 and you are using 12.10, so the performance is basically the same. I was actually amazed n how it was running when I first tested this on 12.04.
Best Answer
Depends on your hardware of course. Most important performance enhancement is using a CPU with AES-NI capabilities, provided by most of the recent Core i5/i7 processors and a kernel supporting it (most recent versions do). It's similar to video acceleration, but then for AES calculations.
Do a
grep aes /proc/cpuinfo
to see if your CPU is capable. If so, it will then be able to en/decrypt hundreds of megabytes a second without too much load; more than enough for most systems or a root filesystem. Provided your encryption software uses this (kernel interface). Usingdm-crypt
(Luks) does this for sure. This Arch Wiki article claims you should be able to do roughly 570 MB/s on a first-generation i7 CPU.I haven't done real benchmarking, but I find almost no slowdown in doing a read-only benchmark using 'palimpsest' (Gnome Disk Utility) on my Intel 310 series 80GB SSD using dm-crypt (full disk) encryption enabled. A steady ~ 250 MB/s sequential reading all the way on an LVM LV (on top of dm-crypt).
See this Phoronix article for serious benchmarks of AES-NI and dm-crypt. An excerpt from that article:
This is a bit outdated now, and eCryptfs might not be suffering these slowdowns anymore.