From owner-freebsd-hackers@FreeBSD.ORG Thu Sep 11 21:33:34 2014 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4BA23847 for ; Thu, 11 Sep 2014 21:33:34 +0000 (UTC) Received: from puchar.net (puchar.net [188.252.31.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C7583931 for ; Thu, 11 Sep 2014 21:33:33 +0000 (UTC) Received: Received: from 127.0.0.1 (localhost [127.0.0.1]) by puchar.net (8.14.9/8.14.9) with ESMTP id s8BLXSiW022578; Thu, 11 Sep 2014 23:33:29 +0200 (CEST) (envelope-from wojtek@puchar.net) X-Authentication-Warning: puchar.net: Host puchar-wojtek.intra [10.0.224.6] claimed to be wojtek.dom Received: from wojtek.dom (localhost [127.0.0.1]) by wojtek.dom (8.14.9/8.14.9) with ESMTP id s8BLXSEG002156; Thu, 11 Sep 2014 23:33:28 +0200 (CEST) (envelope-from wojtek@puchar.net) Received: from localhost (wojtek@localhost) by wojtek.dom (8.14.9/8.14.9/Submit) with ESMTP id s8BLXRRG002153; Thu, 11 Sep 2014 23:33:28 +0200 (CEST) (envelope-from wojtek@puchar.net) X-Authentication-Warning: wojtek.dom: wojtek owned process doing -bs Date: Thu, 11 Sep 2014 23:33:27 +0200 (CEST) From: Wojciech Puchar X-X-Sender: wojtek@wojtek.dom To: John-Mark Gurney Subject: Re: openssl with aes-in or padlock In-Reply-To: <20140911180258.GN82175@funkthat.com> Message-ID: References: <20140911180258.GN82175@funkthat.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (puchar.net [10.0.1.1]); Thu, 11 Sep 2014 23:33:29 +0200 (CEST) Cc: hackers@freebsd.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Sep 2014 21:33:34 -0000 >> #openssl speed -evp aes-256-cbc > > First off, you won't get much speed up w/ CBC encrypt... Try testing > using aes-256-ctr instead... CBC can't process multiple blocks in > parallel like CTR can... if you measure the cbc _decrypt_ speed, you > should see a big improvement as CBC decrypt can be parallelized... > >> in the same time dd from geli encrypted ramdisk to /dev/null is 66MB/s > > geli uses a different framework for it's crypto processing.. for geli, > make sure you have the aesni kernel module loaded before you attach > to a geli disk... You should get kernel messages like the following: > GEOM_ELI: Device gpt/werner.eli created. > GEOM_ELI: Encryption: AES-XTS 256 > GEOM_ELI: Crypto: hardware yes i have this. contrary to what you say - both AES-XTC and AES-CBC gets MUCH faster with AES-NI. > notice the Crypto: hardware line.. Also, make sure that your geli > sector size is 4k instead of 512... This reduces the loop overhead, as i already said - geli works fast and make use of AES-NI or padlock openssl does not