cryptsetup with AES-NI on Intel i5-2450M
 

I would like to encrypt my hard drive, as described in the README_CRYPT.txt file. I know my CPU (Intel Core i5-2450M) supports the AES-NI instruction set.

I would like to know this before I start Slackware installation: do I need to perform additional steps to those listed in README_CRYPT.txt for my system to take advantage of AES-NI? Steps like using extra options to cryptsetup, or maybe loading some kernel modules before creating encrypted partitions? Or does it work transparently and I don't need to do anything?

This will be my first encrypted system, so I'm a bit in the dark here and I would appreciate any information.

The aes-ni driver is compiled into the kernel (both huge and generic), so I would think it will be used by default.

On my system (self-compiled kernel with aes-ni as module), if I run `cryptsetup luksOpen ...` / `mount ...` as usual, with aesni_intel loaded. And then try to `rmmod aesni_intel` it complains about the module being in use. If I then unmount and luksClose, I'm able to rmmod. (The encrypted partition was created prior to me getting an AES-NI capable cpu.) So there doesn't seem to be any extra steps required.

Thanks for your answer. I didn't know AES-NI support was compiled into the default Slackware kernel.

You said you created the encrypted partition before getting an AES-NI capable CPU. After you upgraded your CPU, did you notice any performance gain that you could attribute to this new instruction set?

No, no noticable performance gain. I suppose my mechanical disk act as the bottleneck either way, being limited to speeds around 80-100 Mb/s. Using the benchmark test in the precompiled truecrypt binary (if compiling via slackbuild it refused to use the hardware encryption) I would get 250-400 Mb/s encryption/decryption with my old CPU, or the new without AES-NI. While the new CPU with AES-NI enabled gave me speeds of about 2,5 Gb/s. So unless you're using a nice and fast SSD I don't think you'll notice any difference in I/O speeds. However CPU utilization ought to be lower, so you should get more CPU cycles left over for whatever else it is you're doing while reading/writing big chunks of data to your encrypted drive.

Note that AES-NI will only provide assistance if you use AES for your encryption algorithm.

Of course. I believe README_CRYPT.txt describes setting up an AES-encrypted volume. Am I reading this right?

AES is the default, you can run `cryptsetup --help` before creating the encrypted partition to make sure. If for some reason AES isn't the default you can add "-c aes-cbc-essiv:sha256" to the `cryptsetup luksFormat` command.