Linux boot loaders supporting full disk encryption? Data encryption systems LUKS, EncFS and CryptoFS for Linux Encrypting disk partitions using LUKS
In this article I will try to compare the performance of various encryption systems under Linux. In theory, of course, it is known which system is more productive, and there have been attempts to calculate the performance of different systems (). Truecrypt even contains a built-in benchmark (which, however, shows performance on RAM; it can only be used to evaluate the speed of different encryption algorithms). I’ll do something a little different - I’ll measure the speed of a file system encrypted by various means as a percentage compared to a regular unencrypted file system.
We will encrypt a separate partition on a separate HDD, which does not contain the root file system, using the algorithm used by default in each specific case. As an ordinary user, I do not understand the nuances of encryption standards (for example, how RIPEMD-160 hashing differs from Whirpool, which of these modes is faster, which provides higher protection), so we will simply rely on the fact that the manufacturers of each software product have chosen sufficiently cryptographic ones default settings. This may not be entirely correct, since the performance of different encryption algorithms is not the same. If you wish, of course you can change the encryption type, but I’m not sure that all the tested products have an absolutely identical set of algorithms. We will test:
3) eCryptfs is the default system offered to Ubuntu users for encrypting home directories, which is why it is included in this test. Works on top of an existing file system. Encrypts each file separately, so everyone can see the rights, modification dates, and the number of encrypted files; By default, file names are also visible, although there is an option to encrypt them. The most ineffective product of the bunch.
4) EncFS is an approximate analogue of eCryptfs, but uses FUSE.
So, for testing, a separate machine of quite advanced age was allocated in the following configuration: CPU - Intel Celeron 2000Mhz, RAM - 512 Mb DDR PC2700, system HDD - WD Caviar SE 5400 RPM 80Gb, test HDD - WD Caviar SE 7200 RPM 80Gb.
OS - Ubuntu 12.04 LTS, versions of all software current for the repositories of this OS at the time of writing (Truecrypt 7.1a-linux-x86 not from the repositories).
We will test the default ext4 file system for most distributions. To test performance, we will use the iozone3 utility and a shell script written “on the knee” to measure the percentage difference in the tests.
Script for counting. No special attention was paid to the purity of the code; the only criterion when writing was the presence of the correct result.
#!/bin/sh gendifffile () ( #the procedure generates a file that is convenient to analyze. Firstly, lines #not subject to analysis are truncated; secondly, the first two numbers in each line are truncated, indicating #the file size and the record size, respectively ; thirdly, the entire file is output line by line - #one test result per line cat $1 | while read LINE | grep "^[[:space:]]*[[:digit:]]" | "(for (i=3;i<=NF;i++) {print $i}}" done > > $2 ) getline () ( #procedure prints line number $2 of file $1 head -n $2 "$1" | tail -n 1 ) compare () ( #procedure compares files $1 and $2 line by line, calculating the percentage difference of each pair of tests #then calculates arithmetic average of how many percent faster or slower #the file containing the first group of tests than the file containing the second group P=0 MAX=0 L1=`cat "$1" | wc -l` #number of tests in the file L2=`cat "$2" | wc -l` if [ $L1 -ne $L2 ]; then #if the files contain different numbers of tests, then we will not compare them echo error return fi STEP=$(($L1*5/100)) J=0 for I in `seq 1 $L1`; do J=$(($J+1)) if [ $J -eq $STEP ]; then J=0 echo "$((100*$I/$ L1))% completed ($I of $L1)" fi A=`getline "$1" $I` B=`getline "$2" $I` if [ `echo $A \> $B|bc -l` - eq 1 ]; then D=`echo "100-($B*100/$A)"|bc -l` if [ `echo $D \> $MAX| bc -l` -eq "1" ]; MAX=$D sleep 5 fi else D=`echo "100-($A*100/$B)"|bc -l` if [ `echo $D \> $MAX| bc -l` -eq "1" ]; then MAX=$D sleep 5 fi D="-$D" #if the value has a "-" sign, then this test was executed faster #in the second file, not in the first fi P=`echo "$P+ $D"| bc -l` done P=`echo $P/$L1| bc -l` #calculate the arithmetic mean echo PERCENT=$P MAX_PERCENT=$MAX ) genaverage () ( #procedure for generating a file prepared for analysis, each line of which is #the arithmetic mean of the corresponding lines of all report files located in the analyzed directory AVG=` mktemp` F=`ls "$1"|wc -l` #number of files with reports in a given directory #provided that only such files are stored there and nothing else #we will not check the correctness of this assumption if [ -d " $1" -o $F -lt 2 ]; then echo error >/dev/stderr #in this procedure we will output all messages to stderr, since #stdout is substituted into another procedure rm -f $AVG exit fi TMP=` mktemp` find "$1" -type f| while read FILE; do #for each iozone report file located in the specified directory I=`mktemp` #generate a temporary file prepared for analysis gendifffile "$FILE" "$I" #names write all such files to "TMP" line by line echo "$I">>$TMP done L=`cat \`getline "$TMP" 1\`|wc -l` cat "$TMP"| while read LINE; do #a few checks wouldn't hurt L1=`cat "$LINE"| wc -l` #do all files contain the same number of tests if [ $L -ne $L1 ]; then echo error >/dev/stderr exit fi done STEP=$(($L*5/100)) J=0 for I in `seq 1 $L`; do J=$(($J+1)) if [ $J -eq $STEP ]; then J=0 echo "$((100*$I/$L))% completed ($I of $L)" >/dev/stderr fi SUMFILE=`mktemp` #this way I get the value of the SUM variable from the nested loop SUM=0 cat "$TMP"| while read LINE; do SUM=$((`getline "$LINE" $I`+$SUM)) echo $SUM > "$SUMFILE" done echo `tail -n 1 "$SUMFILE"`/$F|bc -l >> $ AVG #get the arithmetic average #and write it to the appropriate place in the AVG file rm -f "$SUMFILE" done cat "$TMP"| while read LINE; do #delete temporary files rm -f "$LINE" done rm -f "$TMP" echo $AVG ) printf %b "\\033)