1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
|
# Performance comparison with other cryptographic file systems
Here is a quick benchmark to test both file and device encryption methods.
CPU
---
$ cat /proc/cpuinfo
[...]
model name : Intel(R) Core(TM) i7-4770S CPU @ 3.10GHz
[...]
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm xsaveopt dtherm ida arat pln pts
SSD
===
Sandisk Extreme SSD 480GB, SDSSDX480GG25, R211, max UDMA/133
Tools
=====
truecrypt 7.1a
--------------------
GUI used to setup an encrypted device/partition with AES+SHA512 (instead of default RIPEMD-160). ext4 filesystem used as well.
dm-crypt/cryptsetup 1.7.1
-----------------------
https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
https://gitlab.com/cryptsetup/cryptsetup/
cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sdc1
cryptsetup luksOpen /dev/sdc1 testme
mkfs.ext4 /dev/mapper/testme
mount /dev/mapper/testme /mnt/testme
gocryptfs 0.10_rc1-1
-----------------------------
https://github.com/rfjakob/gocryptfs
Later versions of GO make use of the AES-NI instructions, providing a significant performance boost.
gocryptfs -init /mnt/testme/enc
gocryptfs -openssl=false/true /mnt/testme/enc /mnt/testme/plain
encFS 1.8.1
----------------
https://vgough.github.io/encfs/
### Standard mode
encfs /mnt/testme/enc /mnt/testme/plain
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?>
Standard configuration selected.
Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 4:0:2
Key Size: 192 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File holes passed through to ciphertext.
### Paranoia mode
Closer to gocryptfs security features.
encfs /mnt/testme/enc /mnt/testme/plain
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?> p
Paranoia configuration selected.
Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 4:0:2
Key Size: 256 bits
Block Size: 1024 bytes, including 8 byte MAC header
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File data IV is chained to filename IV.
File holes passed through to ciphertext.
-------------------------- WARNING --------------------------
The external initialization-vector chaining option has been
enabled. This option disables the use of hard links on the
filesystem. Without hard links, some programs may not work.
The programs 'mutt' and 'procmail' are known to fail. For
more information, please see the encfs mailing list.
If you would like to choose another configuration setting,
please press CTRL-C now to abort and start over.
securefs 0.3.1
-------------------
https://github.com/netheril96/securefs
./securefs create /mnt/testme/enc
./securefs mount /mnt/testme/enc /mnt/testme/plain
Benchmark
=========
Running on ArchLinux. ext4 filesystem has been used in all cases.
Following script has been used. Encrypted storage is manualy mounted prior to executing the script.
#!/bin/bash
set -eu
TIME="/usr/bin/time -f %e"
# Setup
cd /mnt/testme
wget -nv --show-progress -c https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.0.tar.gz
cd $DIR2
sync
# Benchmarks
echo -n "WRITE: "
$TIME dd if=/dev/zero of=zero bs=128K count=1000 2>&1 | tail -n 1
$TIME sync
rm zero
sync
sleep 1
echo -n "UNTAR: "
$TIME tar xzf ../linux-3.0.tar.gz
$TIME sync
sleep 1
echo -n "LS: "
$TIME ls -lR linux-3.0 > /dev/null
$TIME sync
sleep 1
echo -n "RM: "
$TIME rm -Rf linux-3.0
$TIME sync
*Time found in the table is the total time including the time to sync the filesystem and is expressed in seconds.*
| Tool | Write 0's | Untar | ls | rm |
| ------ | ------ | ------ | ------ | -----: |
| no encryption | 0.28 | 3.25 | 0.15 | 0.36 |
| truecrypt (AES/SHA512) | 0.5 | 4.26 | 0.17 | 0.35 |
| cryptsetup | 0.54 | 4.24 | 0.18 | 0.38 |
| gocryptfs (openssl=false) | 1.01 | 9.73 | 0.81 | 2.37 |
| gocryptfs (openssl=true) | 1.18 | 11.7 | 0.82 | 2.36 |
| encfs (standard mode) | 1.1 | 10.25 | 1.36 | 2.06 |
| encfs (paranoia mode) | 1.67 | 11.96 | 1.37 | 2.07 |
| securefs | 0.84 | 27.73 | 5.58 | 2.43 |
|
