I'm about to install Xubuntu 16.04.2 LTS on a Dell Latitude D630 laptop and I'm trying to figure out if full disk encryption is a good idea. I would really like to have encryption, though it's not an absolute necessity. I've seen competing claims as to impact on performance, so trying to gauge what the impact will be on this system (Intel Core 2 Duo T7100 / 1.8 GHz processor, 5400 rpm HDD, 2 GB RAM? (it's listed as 2, or 2 x 1 GB). I mostly just use the computer for writing, general internet access, pretty basic tasks. Will I see a major drop in performance? Less from just home folder encryption? More specifically, are there particular levels of processor/RAM/etc that one should have to make FDE work efficiently?
Ubuntu – Will the system be able to handle full disk encryption
encryptionperformance
Related Solutions
Depends on your hardware of course. Most important performance enhancement is using a CPU with AES-NI capabilities, provided by most of the recent Core i5/i7 processors and a kernel supporting it (most recent versions do). It's similar to video acceleration, but then for AES calculations.
Do a grep aes /proc/cpuinfo
to see if your CPU is capable. If so, it will then be able to en/decrypt hundreds of megabytes a second without too much load; more than enough for most systems or a root filesystem. Provided your encryption software uses this (kernel interface). Using dm-crypt
(Luks) does this for sure. This Arch Wiki article claims you should be able to do roughly 570 MB/s on a first-generation i7 CPU.
I haven't done real benchmarking, but I find almost no slowdown in doing a read-only benchmark using 'palimpsest' (Gnome Disk Utility) on my Intel 310 series 80GB SSD using dm-crypt (full disk) encryption enabled. A steady ~ 250 MB/s sequential reading all the way on an LVM LV (on top of dm-crypt).
See this Phoronix article for serious benchmarks of AES-NI and dm-crypt. An excerpt from that article:
While the Ubuntu home directory encryption feature with eCryptfs may not be beneficial at this point with Intel AES-NI, full-disk encryption with Intel AES-NI using dmcrypt is noticeably better. Several of the benchmarks produced dramatically better results with AES-NI while at the same time delivering lower CPU usage. AES-NI appears to be a huge win if planning to encrypt your entire disk using this feature found in Ubuntu's alternate installer.
This is a bit outdated now, and eCryptfs might not be suffering these slowdowns anymore.
My apologies for posting this as an answer, but comments would not get the attention this needs. It is my considered opinion, that your drive is in imminent danger of failing.
Please make a full system backup right now.
If you don't know how to make a system backup, please refer to this question. You're user type 4. If you need any further help on making a system backup, leave a comment below this answer.
What??? You're still here? Go away and make the system back-up first! (Disk-to-image)
Then, boot from a LiveCD and issue the following command:
sudo apt-get install smartmontools
Then:
sudo smartctl --scan
and for all /dev/?d?
lines below that:
sudo smartctl --info /dev/?d?
until you see: Device Model: INTEL SSDSC2BW240A3
and verify that:
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
and from now on, wherever you see sda
, replace that with your own ?d?
(sda
is the most common, so yours will probably be this too)
Run:
sudo smartctl --all /dev/sda
and post the output of that to http://paste.ubuntu.com and provide a link to the ouput back here. Then:
sudo smartctl --test=short /dev/sda
and post the output of that (by doing another sudo smartctl --all /dev/sda
) to http://paste.ubuntu.com too and provide that link to its output back here too.
Best Answer
Performance
Disk encryption will lead to a small yet measurable performance decrease since the computer needs to perform an additional step during disk access. However, the bottle neck on a system with specs like yours will almost always be the disk itself and not the processing power required for encryption or decryption.
If you encrypt less data (e. g. only the home directory instead of the whole system) the performance difference will be smaller for obvious reasons. This only applies if you use the same encryption scheme in both instances! The home directory encryption offered by Ubuntu will use eCryptfs as opposed to dm-crypt for full disk encryption. The former is known to be slower than the latter but offers more flexibility (i. e. encrypting only a subset of files on a file system and with different keys, e. g. for different users).
Major problems
You'll lose all encrypted files if you lose the key or password (e. g. due to forgetfulness, a partial disk failure, or a mistake during repartitioning). Therefore it's very important to back up the key file and keep a note with the password in one or (better yet) more safe places. The key file is not the same as the password and neither can substitute the other. (In fact, the password is used to decrypt the key which is needed to decrypt the data.)