LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 07-24-2012, 07:42 PM   #1
arcctgx
LQ Newbie
 
Registered: Mar 2006
Location: EU
Distribution: Slackware
Posts: 9

Rep: Reputation: 0
cryptsetup with AES-NI on Intel i5-2450M


I would like to encrypt my hard drive, as described in the README_CRYPT.txt file. I know my CPU (Intel Core i5-2450M) supports the AES-NI instruction set.

I would like to know this before I start Slackware installation: do I need to perform additional steps to those listed in README_CRYPT.txt for my system to take advantage of AES-NI? Steps like using extra options to cryptsetup, or maybe loading some kernel modules before creating encrypted partitions? Or does it work transparently and I don't need to do anything?

This will be my first encrypted system, so I'm a bit in the dark here and I would appreciate any information.
 
Old 07-24-2012, 08:59 PM   #2
e5150
Member
 
Registered: Oct 2005
Location: Sweden
Distribution: Slackware
Posts: 73

Rep: Reputation: 41
The aes-ni driver is compiled into the kernel (both huge and generic), so I would think it will be used by default.

On my system (self-compiled kernel with aes-ni as module), if I run `cryptsetup luksOpen ...` / `mount ...` as usual, with aesni_intel loaded. And then try to `rmmod aesni_intel` it complains about the module being in use. If I then unmount and luksClose, I'm able to rmmod. (The encrypted partition was created prior to me getting an AES-NI capable cpu.) So there doesn't seem to be any extra steps required.
 
2 members found this post helpful.
Old 07-25-2012, 08:17 AM   #3
arcctgx
LQ Newbie
 
Registered: Mar 2006
Location: EU
Distribution: Slackware
Posts: 9

Original Poster
Rep: Reputation: 0
Thanks for your answer. I didn't know AES-NI support was compiled into the default Slackware kernel.

You said you created the encrypted partition before getting an AES-NI capable CPU. After you upgraded your CPU, did you notice any performance gain that you could attribute to this new instruction set?
 
Old 07-25-2012, 11:05 AM   #4
e5150
Member
 
Registered: Oct 2005
Location: Sweden
Distribution: Slackware
Posts: 73

Rep: Reputation: 41
No, no noticable performance gain. I suppose my mechanical disk act as the bottleneck either way, being limited to speeds around 80-100 Mb/s. Using the benchmark test in the precompiled truecrypt binary (if compiling via slackbuild it refused to use the hardware encryption) I would get 250-400 Mb/s encryption/decryption with my old CPU, or the new without AES-NI. While the new CPU with AES-NI enabled gave me speeds of about 2,5 Gb/s. So unless you're using a nice and fast SSD I don't think you'll notice any difference in I/O speeds. However CPU utilization ought to be lower, so you should get more CPU cycles left over for whatever else it is you're doing while reading/writing big chunks of data to your encrypted drive.
 
1 members found this post helpful.
Old 07-25-2012, 01:13 PM   #5
NyteOwl
Member
 
Registered: Aug 2008
Location: Nova Scotia, Canada
Distribution: Slackware, OpenBSD, others periodically
Posts: 512

Rep: Reputation: 138Reputation: 138
Note that AES-NI will only provide assistance if you use AES for your encryption algorithm.
 
Old 07-25-2012, 04:24 PM   #6
arcctgx
LQ Newbie
 
Registered: Mar 2006
Location: EU
Distribution: Slackware
Posts: 9

Original Poster
Rep: Reputation: 0
Of course. I believe README_CRYPT.txt describes setting up an AES-encrypted volume. Am I reading this right?
Quote:
"We will use a key size of 256 bits. The default cipher is 'aes', with mode 'cbc-essiv:sha256' which is safe enough."
 
Old 07-25-2012, 04:51 PM   #7
e5150
Member
 
Registered: Oct 2005
Location: Sweden
Distribution: Slackware
Posts: 73

Rep: Reputation: 41
AES is the default, you can run `cryptsetup --help` before creating the encrypted partition to make sure. If for some reason AES isn't the default you can add "-c aes-cbc-essiv:sha256" to the `cryptsetup luksFormat` command.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
dm-crypt aes-xts-plain64 vs aes-cbc-essiv for volumes > 2TiB Molly Linux - Security 1 09-13-2010 05:24 PM
how use cryptsetup and losetup azza Programming 2 07-05-2009 01:42 AM
AES boobymonster Linux - Security 4 01-31-2009 09:04 AM
using aes-i586 instead of just aes whysyn Linux - Security 0 03-07-2007 03:47 PM
Cryptsetup : Arrrrg ! kemkem42 Linux - Software 0 09-28-2005 04:10 AM


All times are GMT -5. The time now is 09:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration