Other Performance of GELI

[Stefan]

Hi,

I recently switched my home server from Linux/CentOS installation to freebsd FreeBSD (10). I made a full encrypted environment using GELI. Now my problem is the encryption performance. I made some tests with all available cipher/key settings, no one provided better transfer rates than 60 MB/s. With Linux I got 126 MB/s (the same speed as writing to the disk without encryption (SSD, SATA 2)). I tested with dd and wrote directly to the .eli device. My CPU is pretty old, without AES-NI. (AMD quadcore ~3.5 GHz).

Are there any tuning options with which I can achieve better performance? On other servers (in the company) with AES-NI capable CPUs there are no performance hits.

lg

 

[Martillo1]

What encryption did you use in CentOS?

 

[Stefan]

I used dm-crypt with LUKS in aes-xts-plain64 mode with a 256 bit key.

 

[Martillo1]

What filesystem are you using on top of geli?

 

[Stefan]

I wrote directly to the .eli file.

Plain SSD without encryption:

[root@waltero ~]# gdd if=/dev/zero bs=64k of=/dev/ada0
^C29417+0 records in
29416+0 records out
1927806976 bytes (1.9 GB) copied, 12.9484 s, 149 MB/s

SSD with GELI:

[root@waltero ~]# geli onetime -e aes-xts -l 256 -s 4096 /dev/ada0
[root@waltero ~]# gdd if=/dev/zero bs=64k of=/dev/ada0.eli
^C35400+0 records in
35400+0 records out
2319974400 bytes (2.3 GB) copied, 44.171 s, 52.5 MB/s

Encryption speed with openssl:

[root@waltero ~]# gdd if=/dev/zero bs=64k |openssl enc -aes-256-cbc >/dev/null
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
^C71119+0 records in
71118+0 records out
4660789248 bytes (4.7 GB) copied, 33.0321 s, 141 MB/s

 

[Martillo1]

Why don't you use a stream from /dev/random instead of /dev/zero and check if the same happens? Just curious.

And you could try setting a filesystem as well.

 

[Stefan]

/dev/random can't deliver more than ~60 MB/s on my system.

For testing I created a zpool on top of the .eli device, the results are interesting:

[root@waltero ~]# geli onetime -e aes-xts -l 256 -s 4096 /dev/ada0
[root@waltero ~]# zpool create mypool /dev/ada0.eli
[root@waltero ~]# zfs create mypool/test
[root@waltero ~]# gdd if=/dev/zero bs=64k of=/mypool/test/test.dd
^C1328321+0 records in
1328321+0 records out
87052845056 bytes (87 GB) copied, 420.128 s, 207 MB/s

I wrote 87 GB to eliminate the risk of zfs caching to interfere with my results.

Here my zpool I/O statistics:

[root@waltero ~]# zpool iostat -v mypool
  capacity  operations  bandwidth
pool  alloc  free  read  write  read  write
----------  -----  -----  -----  -----  -----  -----
mypool  36.8G  82.2G  1  1.61K  76.7K  202M
  ada0.eli  36.8G  82.2G  1  1.61K  76.7K  202M
----------  -----  -----  -----  -----  -----  -----

Next I created an UFS on top of the encrypted device. Here I can also achieve more than 200 MB/s

[root@waltero ~]# gdd if=/dev/zero bs=64k of=/mnt/test.dd
^C479239+0 records in
479239+0 records out
31407407104 bytes (31 GB) copied, 144.88 s, 217 MB/s

For me the problem is solved, but I'm really interested in an explanation. Direct I/O on the .eli is still slow.

 

[Martillo1]

I am glad you are satisfied with the performance. As for an explanation, I am intrigued too.

 

[kpa]

As far as I know the raw devices in FreeBSD have no builtin buffering at all. The filesystems that use the devices are expected to implement their own buffering which is what ZFS and UFS do.

 

[asteriskRoss]

You might find it useful to look in the benchmarks/* ports. One of the tools there might models the typical file system access for your machine better than a single sequential write using dd. Perhaps something like benchmarks/bonnie++, benchmarks/postmark or benchmarks/blogbench?