Ask Your Question

How can I verify that my LUKS will utilize AES-NI encryption support in my system? [closed]

asked 2013-08-02 05:43:31 -0600

none gravatar image

updated 2013-08-06 07:19:34 -0600

My CPU "Intel(R) Core(TM) i7-2677M CPU @ 1.80GHz" has AES flag:

fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer **aes** xsave avx lahf_lm ida arat epb xsaveopt pln pts dtherm tpr_shadow vnmi flexpriority ept vpid

I'd like to verify, if it will be truly utilized by luks on my system. So:

1) Should I use benchmark to check it? What results should I expect if I use SSD drive (SanDisk SSD U100 128GB)?

2) If LUKS can't autodetect AES-NI, how to create my LUKS volume, to utilize this instructions?

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by none
close date 2013-10-01 00:52:22.266676

1 Answer

Sort by ยป oldest newest most voted

answered 2013-08-04 07:27:50 -0600

none gravatar image

I will answer my first part of question.

First of all, Fedora kernel has built-in support for AES-NI, so I have to recompile kernel to change this, and compile this as module, to be able to remove it from memory for comarsions.

After upgrading kernel to my custom one (with aes modules loaded) cryptsetup benchmark shows me:

aes-cbc   128b   540.5 MiB/s  1787.0 MiB/s
aes-cbc   256b   402.6 MiB/s  1356.6 MiB/s
aes-xts   256b   736.3 MiB/s   742.3 MiB/s
aes-xts   512b   661.0 MiB/s   664.0 MiB/s

Next I added this two lines to /etc/modprobe.d/aes.conf:

blacklist aesni_intel
blacklist aes_i586

And I rebooted system. (Yes, I installed 32bit system on 64bit CPU.)

After reboot (without aes support in kernel) I got this results for AES:

aes-cbc   128b   114.7 MiB/s   100.0 MiB/s
aes-cbc   256b    86.5 MiB/s    87.5 MiB/s
aes-xts   256b   119.9 MiB/s   115.0 MiB/s
aes-xts   512b    90.5 MiB/s    85.1 MiB/s

So, as you see, Fedora 19 will support your CPU AES-NI extension by default. I have to check, how it will behave, when I will actually encrypt my hdd with and without AES support in kernel, to check if cryptsetup by default use it on my volume or I have to pass additional options.

edit flag offensive delete link more

Question Tools


Asked: 2013-08-02 05:43:31 -0600

Seen: 6,785 times

Last updated: Aug 06 '13