# Performance comparison with other cryptographic file systems

Here is a quick benchmark to test both file and device encryption methods.

CPU
---

    $ cat /proc/cpuinfo 
    [...]
    model name  : Intel(R) Core(TM) i7-4770S CPU @ 3.10GHz
    [...]
    flags       : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm xsaveopt dtherm ida arat pln pts


   

SSD
===

 Sandisk Extreme SSD 480GB, SDSSDX480GG25, R211, max UDMA/133


Tools
=====


truecrypt 7.1a
-------------------- 
GUI used to setup an encrypted device/partition with AES+SHA512 (instead of default RIPEMD-160). ext4 filesystem used as well.


dm-crypt/cryptsetup 1.7.1
-----------------------
https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
https://gitlab.com/cryptsetup/cryptsetup/

    cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sdc1
    cryptsetup luksOpen /dev/sdc1 testme
    mkfs.ext4 /dev/mapper/testme
    mount /dev/mapper/testme /mnt/testme

gocryptfs 0.10_rc1-1
-----------------------------
https://github.com/rfjakob/gocryptfs

Later versions of GO make use of the AES-NI instructions, providing a significant performance boost.

    gocryptfs -init /mnt/testme/enc
    gocryptfs -openssl=false/true /mnt/testme/enc /mnt/testme/plain


encFS 1.8.1
----------------
https://vgough.github.io/encfs/

### Standard mode


    encfs /mnt/testme/enc /mnt/testme/plain
    Creating new encrypted volume.
    Please choose from one of the following options:
    enter "x" for expert configuration mode,
    enter "p" for pre-configured paranoia mode,
    anything else, or an empty line will select standard mode.
    ?> 

    Standard configuration selected.

    Configuration finished.  The filesystem to be created has
    the following properties:
    Filesystem cipher: "ssl/aes", version 3:0:2
    Filename encoding: "nameio/block", version 4:0:2
    Key Size: 192 bits
    Block Size: 1024 bytes
    Each file contains 8 byte header with unique IV data.
    Filenames encoded using IV chaining mode.
    File holes passed through to ciphertext.



### Paranoia mode

Closer to gocryptfs security features.

    encfs /mnt/testme/enc /mnt/testme/plain
    Creating new encrypted volume.
    Please choose from one of the following options:
     enter "x" for expert configuration mode,
     enter "p" for pre-configured paranoia mode,
     anything else, or an empty line will select standard mode.
    ?> p
    
    Paranoia configuration selected.
    
    Configuration finished.  The filesystem to be created has
    the following properties:
    Filesystem cipher: "ssl/aes", version 3:0:2
    Filename encoding: "nameio/block", version 4:0:2
    Key Size: 256 bits
    Block Size: 1024 bytes, including 8 byte MAC header
    Each file contains 8 byte header with unique IV data.
    Filenames encoded using IV chaining mode.
    File data IV is chained to filename IV.
    File holes passed through to ciphertext.
    
    -------------------------- WARNING --------------------------
    The external initialization-vector chaining option has been
    enabled.  This option disables the use of hard links on the
    filesystem. Without hard links, some programs may not work.
    The programs 'mutt' and 'procmail' are known to fail.  For
    more information, please see the encfs mailing list.
    If you would like to choose another configuration setting,
    please press CTRL-C now to abort and start over.



securefs 0.3.1
-------------------
https://github.com/netheril96/securefs

    ./securefs create /mnt/testme/enc
    ./securefs mount /mnt/testme/enc /mnt/testme/plain

Benchmark
=========

Running on ArchLinux. ext4 filesystem has been used in all cases. 

Following script has been used. Encrypted storage is manualy mounted prior to executing the script.

    #!/bin/bash
    set -eu
    TIME="/usr/bin/time -f %e"
    # Setup
    cd /mnt/testme
    wget -nv --show-progress -c https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.0.tar.gz
    cd $DIR2
    sync
    # Benchmarks
    echo -n "WRITE: "
    $TIME dd if=/dev/zero of=zero bs=128K count=1000 2>&1 | tail -n 1
    $TIME sync
    rm zero
    sync
    sleep 1
    echo -n "UNTAR: "
    $TIME tar xzf ../linux-3.0.tar.gz
    $TIME sync
    sleep 1
    echo -n "LS:    "
    $TIME ls -lR linux-3.0 > /dev/null
    $TIME sync
    sleep 1
    echo -n "RM:    "
    $TIME rm -Rf linux-3.0
    $TIME sync
   

*Time found in the table is the total time including the time to sync the filesystem and is expressed in seconds.*

|  Tool     | Write 0's | Untar | ls  | rm  |
| ------ | ------ | ------ | ------ | -----: |
|  no encryption |  0.28  |   3.25  | 0.15 | 0.36 |
|  truecrypt (AES/SHA512) |  0.5  |   4.26  | 0.17 | 0.35 |
|  cryptsetup |  0.54  |   4.24  | 0.18 | 0.38 |
|  gocryptfs (openssl=false)  |  1.01  |   9.73  | 0.81 | 2.37 |
|  gocryptfs (openssl=true)  |  1.18  |   11.7  | 0.82 | 2.36 |
|  encfs (standard mode) |  1.1  |   10.25  | 1.36 | 2.06 |
|  encfs (paranoia mode) |  1.67  |   11.96  | 1.37 | 2.07 |
|  securefs |  0.84  |   27.73  | 5.58 | 2.43 |