The document discusses methods to improve Linux disk encryption performance while maintaining security, focusing on different layers of encryption like storage hardware, block layer, filesystem layer, and application layer. It highlights the trade-offs between complexity, configuration, and speed for each method and offers insights into real-world testing and potential optimizations including algorithm selection and modifications to the dm-crypt module. The author emphasizes that while encryption can impact performance, modern cryptographic techniques can be efficient, especially with specific implementations like aes-xts.

1. Speeding Up Linux Disk Encryption
Ignat Korchagin
@ignatkn

2. @ignatkn
$ whoami
● Performance and security at Cloudflare
● Passionate about security and crypto
● Enjoy low level programming

3. Encrypting data at rest

4. @ignatkn
The storage stack
applications

5. @ignatkn
The storage stack
filesystems
applications

6. @ignatkn
The storage stack
block subsystem
filesystems
applications

7. @ignatkn
The storage stack
storage hardware
block subsystem
filesystems
applications

8. @ignatkn
Encryption at rest layers
storage hardware
block subsystem
filesystems
applications
SED, OPAL

9. @ignatkn
Encryption at rest layers
storage hardware
block subsystem
filesystems
applications
SED, OPAL
LUKS/dm-crypt,
BitLocker,
FileVault

10. @ignatkn
Encryption at rest layers
storage hardware
block subsystem
filesystems
applications
SED, OPAL
LUKS/dm-crypt,
BitLocker,
FileVault
ecryptfs,
ext4 encryption
or fscrypt

11. @ignatkn
Encryption at rest layers
storage hardware
block subsystem
filesystems
applications
SED, OPAL
LUKS/dm-crypt,
BitLocker,
FileVault
ecryptfs,
ext4 encryption
or fscrypt
DBMS, PGP,
OpenSSL,
Themis

12. @ignatkn
Storage hardware encryption
Pros:
● it’s there
● little configuration needed
● fully transparent to applications
● usually faster than other layers

13. @ignatkn
Storage hardware encryption
Pros:
● it’s there
● little configuration needed
● fully transparent to applications
● usually faster than other layers
Cons:
● no visibility into the implementation
● no auditability
● sometimes poor security
https://support.microsoft.com/en-us/help/4516071/windows-10-update-kb4516071

14. @ignatkn
Block layer encryption
Pros:
● little configuration needed
● fully transparent to applications
● open, auditable

15. @ignatkn
Block layer encryption
Pros:
● little configuration needed
● fully transparent to applications
● open, auditable
Cons:
● requires somewhat specialised crypto
● performance issues
● encryption keys in RAM

16. @ignatkn
Filesystem layer encryption
Pros:
● somewhat transparent to applications
● open, auditable
● more fine-grained
● more choice of crypto + potential integrity support

17. @ignatkn
Filesystem layer encryption
Pros:
● somewhat transparent to applications
● open, auditable
● more fine-grained
● more choice of crypto + potential integrity support
Cons:
● performance issues
● encryption keys in RAM
● complex configuration
● unencrypted metadata

18. @ignatkn
Application layer encryption
Pros:
● open, auditable
● fine-grained
● full crypto flexibility

19. @ignatkn
Application layer encryption
Pros:
● open, auditable
● fine-grained
● full crypto flexibility
Cons:
● encryption keys in RAM
● requires explicit support in code and configuration
● unencrypted metadata
● full crypto flexibility

20. LUKS/dm-crypt

21. @ignatkn
Device mapper in Linux
applications

22. @ignatkn
Device mapper in Linux
applications
filesystems
xfs vfatext4
file I/O

23. @ignatkn
Device mapper in Linux
applications
block device drivers
nvme brdscsi
filesystems
xfs vfatext4
file I/O
block I/O

24. @ignatkn
Device mapper in Linux
applications
block device drivers
nvme brdscsi
filesystems
xfs vfatext4
device mapper
dm-crypt dm-mirrordm-raid
file I/O
block I/O
block I/O

25. @ignatkn
Device mapper in Linux
applications
block device drivers
nvme brdscsi
filesystems
xfs vfatext4
device mapper
dm-crypt dm-mirrordm-raid
file I/O
block I/O
block I/O

26. @ignatkn
dm-crypt (idealized)
filesystem
block device drivers

27. @ignatkn
dm-crypt (idealized)
filesystem
dm-crypt
block device drivers

28. @ignatkn
dm-crypt (idealized)
filesystem
dm-crypt
block device drivers
encrypt
write BIO
encrypted BIO

29. @ignatkn
dm-crypt (idealized)
filesystem
dm-crypt
block device drivers
encrypt decrypt
write BIO read BIO
encrypted BIOs

30. @ignatkn
dm-crypt (idealized)
filesystem
dm-crypt
block device drivers
encrypt decrypt
Linux
Crypto API
write BIO read BIO
encrypted BIOs

31. dm-crypt benchmarking

32. @ignatkn
Test setup: RAM-based encrypted disk
$ sudo modprobe brd rd_nr=1 rd_size=4194304

33. @ignatkn
Test setup: RAM-based encrypted disk
$ sudo modprobe brd rd_nr=1 rd_size=4194304
$ fallocate -l 2M crypthdr.img

34. @ignatkn
Test setup: RAM-based encrypted disk
$ sudo modprobe brd rd_nr=1 rd_size=4194304
$ fallocate -l 2M crypthdr.img
$ sudo cryptsetup luksFormat /dev/ram0 --header
crypthdr.img

35. @ignatkn
Test setup: RAM-based encrypted disk
$ sudo modprobe brd rd_nr=1 rd_size=4194304
$ fallocate -l 2M crypthdr.img
$ sudo cryptsetup luksFormat /dev/ram0 --header
crypthdr.img
$ sudo cryptsetup open --header crypthdr.img
/dev/ram0 encrypted-ram0

36. @ignatkn
test storage stack
Test storage stack
/dev/ram0

37. @ignatkn
test storage stack
Test storage stack
/dev/ram0
/dev/mapper/encrypted-ram0

38. @ignatkn
test storage stack
Test storage stack
/dev/ram0
/dev/mapper/encrypted-ram0
no filesystem

39. @ignatkn
test storage stack
Test storage stack
/dev/ram0
/dev/mapper/encrypted-ram0
no filesystemEncrypted
R/W

40. @ignatkn
test storage stack
Test storage stack
/dev/ram0
/dev/mapper/encrypted-ram0
no filesystemEncrypted
R/W
Unencrypted
R/W

41. @ignatkn
Test setup: sequential reads
$ sudo fio --filename=/dev/ram0
--readwrite=readwrite --bs=4k --direct=1
--loops=1000000 --name=plain

42. @ignatkn
Test setup: sequential reads
$ sudo fio --filename=/dev/ram0
--readwrite=readwrite --bs=4k --direct=1
--loops=1000000 --name=plain
...
READ: io=21013MB, aggrb=1126.5MB/s
WRITE: io=21023MB, aggrb=1126.1MB/s

43. @ignatkn
Test setup: sequential reads
$ sudo fio
--filename=/dev/mapper/encrypted-ram0
--readwrite=readwrite --bs=4k --direct=1
--loops=1000000 --name=crypt

44. @ignatkn
Test setup: sequential reads
$ sudo fio
--filename=/dev/mapper/encrypted-ram0
--readwrite=readwrite --bs=4k --direct=1
--loops=1000000 --name=crypt
...
READ: io=1693.7MB, aggrb=150874KB/s
WRITE: io=1696.4MB, aggrb=151170KB/s

45. @ignatkn
Test setup: sequential reads
$ sudo fio
--filename=/dev/mapper/encrypted-ram0
--readwrite=readwrite --bs=4k --direct=1
--loops=1000000 --name=crypt
...
READ: io=1693.7MB, aggrb=150874KB/s
WRITE: io=1696.4MB, aggrb=151170KB/s
~7x
slower!

46. @ignatkn
Test setup: sequential reads
$ sudo cryptsetup benchmark -c aes-xts
# Tests are approximate using memory only (no
storage IO).
# Algorithm | Key | Encryption | Decryption
aes-xts 256b 1823.1 MiB/s 1900.3 MiB/s

47. @ignatkn
Test setup: sequential reads
$ sudo cryptsetup benchmark -c aes-xts
# Tests are approximate using memory only (no
storage IO).
# Algorithm | Key | Encryption | Decryption
aes-xts 256b 1823.1 MiB/s 1900.3 MiB/s
desired: ~696 MB/s, actual: ~294 MB/s

48. @ignatkn
We tried...
● switching to different cryptographic algorithms
○ aes-xts seems to be the fastest (at least on x86)

49. @ignatkn
We tried...
● switching to different cryptographic algorithms
○ aes-xts seems to be the fastest (at least on x86)
● experimenting with dm-crypt optional flags
○ “same_cpu_crypt” and “submit_from_crypt_cpus”

50. @ignatkn
We tried...
● switching to different cryptographic algorithms
○ aes-xts seems to be the fastest (at least on x86)
● experimenting with dm-crypt optional flags
○ “same_cpu_crypt” and “submit_from_crypt_cpus”
● trying filesystem-level encryption
○ much slower and potentially less secure

51. @ignatkn
Despair

52. @ignatkn
Ask the community
“If the numbers disturb you, then this is from lack of
understanding on your side. You are probably unaware
that encryption is a heavy-weight operation...“
https://www.spinics.net/lists/dm-crypt/msg07516.html

53. @ignatkn
But actually...
“Using TLS is very cheap, even at the scale of Cloudflare.
Modern crypto is very fast, with AES-GCM and P256
being great examples.”
https://blog.cloudflare.com/how-expensive-is-crypto-anyway/

54. @ignatkn
dm-crypt: life of an encrypted BIO request
block device drivers
filesystem

55. @ignatkn
Crypto APIdm-crypt
dm-crypt: life of an encrypted BIO request
block device drivers
filesystem

56. @ignatkn
Crypto APIdm-crypt
block device drivers
filesystem
kcryptd
write
dm-crypt: life of an encrypted BIO request

57. @ignatkn
Crypto APIdm-crypt
block device drivers
filesystem
cryptd
kcryptd
write
dm-crypt: life of an encrypted BIO request

58. @ignatkn
Crypto APIdm-crypt
block device drivers
filesystem
cryptd
kcryptd
write
write_tree
dm-crypt: life of an encrypted BIO request

59. @ignatkn
Crypto APIdm-crypt
block device drivers
filesystem
cryptd
kcryptd
dmcrypt_write
write
write_tree
dm-crypt: life of an encrypted BIO request

60. @ignatkn
Crypto APIdm-crypt
block device drivers
filesystem
cryptd
kcryptd
dmcrypt_write
write
write_tree
dm-crypt: life of an encrypted BIO request

61. @ignatkn
Crypto APIdm-crypt
block device drivers
filesystem
cryptd
kcryptd_io
kcryptd
dmcrypt_write
write
read
write_tree
dm-crypt: life of an encrypted BIO request

62. @ignatkn
Crypto APIdm-crypt
block device drivers
filesystem
cryptd
kcryptd_io
kcryptd
dmcrypt_write
write
read
write_tree
dm-crypt: life of an encrypted BIO request

63. @ignatkn
Crypto APIdm-crypt
block device drivers
filesystem
cryptd
kcryptd_io
kcryptd
dmcrypt_write
write
read
write_tree
dm-crypt: life of an encrypted BIO request

64. @ignatkn
Crypto APIdm-crypt
block device drivers
filesystem
cryptd
kcryptd_io
kcryptd
dmcrypt_write
write
read
write_tree
dm-crypt: life of an encrypted BIO request

65. @ignatkn
Crypto APIdm-crypt
block device drivers
filesystem
cryptd
kcryptd_io
kcryptd
dmcrypt_write
write
read
write_tree
dm-crypt: life of an encrypted BIO request

66. @ignatkn
queues vs latency
“A significant amount of tail latency is
due to queueing effects”
https://www.usenix.org/conference/srecon19asia/presentation/plenz

67. @ignatkn
Crypto APIdm-crypt
block device drivers
filesystem
cryptd
kcryptd_io
kcryptd
dmcrypt_write
write
read
write_tree
dm-crypt: life of an encrypted BIO request

68. @ignatkn
Crypto APIdm-crypt
block device drivers
filesystem
cryptd
kcryptd_io
kcryptd
dmcrypt_write
write
read
write_tree
dm-crypt: life of an encrypted BIO request

69. @ignatkn
dm-crypt: git archeology
● kcryptd was there from the beginning (2005)
○ only for reads: “it would be very unwise to do decryption in an
interrupt context”

70. @ignatkn
dm-crypt: git archeology
● kcryptd was there from the beginning (2005)
○ only for reads: “it would be very unwise to do decryption in an
interrupt context”
● some queuing was added to reduce kernel stack
usage (2006)

71. @ignatkn
dm-crypt: git archeology
● kcryptd was there from the beginning (2005)
○ only for reads: “it would be very unwise to do decryption in an
interrupt context”
● some queuing was added to reduce kernel stack
usage (2006)
● offload writes to thread and IO sorting (2015)
○ for spinning disks, but “may improve SSDs”
○ mentions CFQ scheduler, which is deprecated

72. @ignatkn
dm-crypt: git archeology
● kcryptd was there from the beginning (2005)
○ only for reads: “it would be very unwise to do decryption in an
interrupt context”
● some queuing was added to reduce kernel stack
usage (2006)
● offload writes to thread and IO sorting (2015)
○ for spinning disks, but “may improve SSDs”
○ mentions CFQ scheduler, which is deprecated
● commits to optionally revert some queuing
○ “same_cpu_crypt” and “submit_from_crypt_cpus” option flags

73. @ignatkn
dm-crypt: things to reconsider
● most code was added with spinning disks in mind
○ disk IO latency >> scheduling latency

74. @ignatkn
dm-crypt: things to reconsider
● most code was added with spinning disks in mind
○ disk IO latency >> scheduling latency
● sorting BIOs in dm-crypt probably violates “do one
thing and do it well” Unix principle
○ the task for the IO scheduler

75. @ignatkn
dm-crypt: things to reconsider
● most code was added with spinning disks in mind
○ disk IO latency >> scheduling latency
● sorting BIOs in dm-crypt probably violates “do one
thing and do it well” Unix principle
○ the task for the IO scheduler
● kcryptd may be redundant as modern Linux Crypto
API is asynchronous by itself
○ remove offloading the offload

76. @ignatkn
dm-crypt: cleanup

77. @ignatkn
Crypto APIdm-crypt
block device drivers
filesystem
cryptd
kcryptd_io
kcryptd
dmcrypt_write
write
read
write_tree
dm-crypt: life of an encrypted BIO request

78. @ignatkn
dm-crypt (synchronous)
filesystem
dm-crypt
block device drivers
encrypt decrypt
write BIO read BIO
encrypted BIOs

79. @ignatkn
dm-crypt (synchronous)
filesystem
dm-crypt
block device drivers
encrypt decrypt
Sync Linux
Crypto API
write BIO read BIO
encrypted BIOs

80. @ignatkn
dm-crypt: removing queues
● dm-crypt module: a simple patch, which bypasses all
queues/async threads based on a new runtime flag

81. @ignatkn
dm-crypt: removing queues
● dm-crypt module: a simple patch, which bypasses all
queues/async threads based on a new runtime flag
● Linux Crypto API is a bit more complicated
○ by default specific implementation is selected dynamically based
on priority
○ aes-ni synchronous implementation is marked as “internal”
○ aes-ni (FPU) is not usable in some interrupt contexts

82. @ignatkn
dm-crypt: removing queues
● dm-crypt module: a simple patch, which bypasses all
queues/async threads based on a new runtime flag
● Linux Crypto API is a bit more complicated
○ by default specific implementation is selected dynamically based
on priority
○ aes-ni synchronous implementation is marked as “internal”
○ aes-ni (FPU) is not usable in some interrupt contexts
● xtsproxy: a dedicated synchronous aes-xts module

83. @ignatkn
xtsproxy crypto API module
aes-xts proxy

84. @ignatkn
xtsproxy crypto API module
aes-xts proxy
Is FPU
available?

85. @ignatkn
xtsproxy crypto API module
aes-xts proxy
Is FPU
available?
__xts-aes-aesni
yes

86. @ignatkn
xtsproxy crypto API module
aes-xts proxy
Is FPU
available?
__xts-aes-aesni xts(ecb(aes-generic))
yes no

87. @ignatkn
xtsproxy crypto API module
aes-xts proxy
Is FPU
available?
__xts-aes-aesni xts(ecb(aes-generic))
yes no

88. @ignatkn
Test setup: sequential IO
$ sudo fio --filename=/dev/mapper/encrypted-ram0
--readwrite=readwrite --bs=4k --direct=1 --loops=1000000
--name=crypt

89. @ignatkn
Test setup: sequential IO
$ sudo fio --filename=/dev/mapper/encrypted-ram0
--readwrite=readwrite --bs=4k --direct=1 --loops=1000000
--name=crypt
$ sudo modprobe xtsproxy

90. @ignatkn
Test setup: sequential IO
$ sudo fio --filename=/dev/mapper/encrypted-ram0
--readwrite=readwrite --bs=4k --direct=1 --loops=1000000
--name=crypt
$ sudo modprobe xtsproxy
$ sudo dmsetup table encrypted-ram0 --showkeys | sed
's/aes-xts-plain64/capi:xts-aes-xtsproxy-plain64/' | sed
's/$/ 1 force_inline/' | sudo dmsetup reload
encrypted-ram0

91. @ignatkn
Test setup: sequential IO
$ sudo fio --filename=/dev/mapper/encrypted-ram0
--readwrite=readwrite --bs=4k --direct=1 --loops=1000000
--name=crypt
$ sudo modprobe xtsproxy
$ sudo dmsetup table encrypted-ram0 --showkeys | sed
's/aes-xts-plain64/capi:xts-aes-xtsproxy-plain64/' | sed
's/$/ 1 force_inline/' | sudo dmsetup reload
encrypted-ram0

92. @ignatkn
Test setup: sequential IO
$ sudo fio --filename=/dev/mapper/encrypted-ram0
--readwrite=readwrite --bs=4k --direct=1 --loops=1000000
--name=crypt
$ sudo modprobe xtsproxy
$ sudo dmsetup table encrypted-ram0 --showkeys | sed
's/aes-xts-plain64/capi:xts-aes-xtsproxy-plain64/' | sed
's/$/ 1 force_inline/' | sudo dmsetup reload
encrypted-ram0

93. @ignatkn
Test setup: sequential IO
$ sudo fio --filename=/dev/mapper/encrypted-ram0
--readwrite=readwrite --bs=4k --direct=1 --loops=1000000
--name=crypt
$ sudo modprobe xtsproxy
$ sudo dmsetup table encrypted-ram0 --showkeys | sed
's/aes-xts-plain64/capi:xts-aes-xtsproxy-plain64/' | sed
's/$/ 1 force_inline/' | sudo dmsetup reload
encrypted-ram0
$ sudo dmsetup suspend encrypted-ram0 && sudo dmsetup
resume encrypted-ram0

94. @ignatkn
ramdisk: read throughput

95. @ignatkn
ramdisk: write throughput

96. @ignatkn
ssd: IO latency (iowait) ● ssd disk
● dm-crypt device

97. @ignatkn
ssd: IO latency (iowait)
inline enabled
● ssd disk
● dm-crypt device

98. @ignatkn
Cloudflare cache impact

99. @ignatkn
Cloudflare cache impact
● unencrypted
● encrypted
● encrypted with patched dm-crypt

100. Conclusions

101. @ignatkn
Conclusions
● a simple patch which may improve dm-crypt
performance by 200%-300%
○ fully compatible with stock Linux dm-crypt
○ can be enabled/disabled in runtime without service disruption

102. @ignatkn
Conclusions
● a simple patch which may improve dm-crypt
performance by 200%-300%
○ fully compatible with stock Linux dm-crypt
○ can be enabled/disabled in runtime without service disruption
● modern crypto is fast and cheap
○ performance degradation is likely elsewhere

103. @ignatkn
Conclusions
● a simple patch which may improve dm-crypt
performance by 200%-300%
○ fully compatible with stock Linux dm-crypt
○ can be enabled/disabled in runtime without service disruption
● modern crypto is fast and cheap
○ performance degradation is likely elsewhere
● extra queuing may be harmful on modern low
latency storage

104. @ignatkn
Caveats and future work
● the patch improves performance on small block
size/high IOPS workloads
○ >2MB block size shows worse performance

105. @ignatkn
Caveats and future work
● the patch improves performance on small block
size/high IOPS workloads
○ >2MB block size shows worse performance
● the whole setup assumes hardware-accelerated
crypto
○ xtsproxy supports x86 only

106. @ignatkn
Caveats and future work
● the patch improves performance on small block
size/high IOPS workloads
○ >2MB block size shows worse performance
● the whole setup assumes hardware-accelerated
crypto
○ xtsproxy supports x86 only
● your mileage may vary
○ always measure and compare before deployment
○ let us know the results

107. @ignatkn
Links
● https://gitlab.com/cryptsetup/cryptsetup
● http://man7.org/linux/man-pages/man8/dmsetup.8.html
● https://blog.cloudflare.com/speeding-up-linux-disk-encryption
● https://github.com/cloudflare/linux

108. Questions?