[arizonagroovejet]

Is there a way to use luks encryption with a Pogoplug E02 without hugely reducing data write speed?

I've tried encrypting partitions on the same USB flash drive with aes-xts-plain64, aes-xts-plain and aes-cbc-plain and tested copying a 650MB iso to them. With aes-xts-plain64 it takes about 1:45. With aes-xts-plain about 1:50 and with aes-cbc-plain about 2:10. Copying to a non-luks partition on the same drive takes only 0:57. This is just a trial of using luks, in practice I'd be dealing with up to 1TB and the write speeds I'm getting with luks would be almost impractical.

I've found some hints that it's possible to offload crypto stuff to the hardware, but what I've not found is any clear write up of how one does that. Until now I've only dealt with luks on modern Intel hardware where I just use whatever the defaults are and performance doesn't obviously suck as result.

[WarheadsSE]

Considering that the E02 family only have USB2 speeds, lets have a look at a few things:

1) where are you getting the ISO from?
2) The maximum speed of all communiciations is 480 Mbps, or 60MB/s.
3) Any use by any other device on the USB bus will cut into that 60MB/s
4) Normally, without encryption, I can hit maximum speed of ~20MB/s sending a file to that flash drive over the network.

Now, 650MB / 20MB/s should cap around 32 seconds, but in reality, it tends to fluctuate for me, so let us call it an even 40 seconds. Based on those numbers, you're hitting a 50-100% hit due to encryption, which is CPU bound, with a small amount of memory contention while we're at it. Please also check your CPU, IO and memory load while you're running these tests.

To be fair, I am not familiar with using cryptodev with LUKS myself, or even LUKS for that matter.

$this->bbcode_second_pass_quote('WarheadsSE', '
')1) where are you getting the ISO from?

[moonman]

1. Just a small correction to max USB 2.0 speed, it is ~30MB/s max because of half duplex. Only usb 3.0 and up is full duplex.
2. I believe it is just a matter of loading marell_cesa module to get the hardware encryption to work. You have to be using linux-kirkwood-dt kernel though as this module is only available and works with a dt enabled kernel. It may not be any faster though, but will offload the cpu for other tasks

[WarheadsSE]

@moonman Nice catch. You're right, and that throws _all_ of my numbers out the window as 2x larger than they should be.

Copying from one drive to the other over USB without encryption should be checked, and then the metrics adjusted for that fact.

[arizonagroovejet]

$this->bbcode_second_pass_quote('WarheadsSE', 'C')opying from one drive to the other over USB without encryption should be checked, and then the metrics adjusted for that fact.

[WarheadsSE]

Ah, your wording didn't lead me to think you were crossing devices, just within the same disk.

[arizonagroovejet]

I install linux-kirkwood-dt and got this message.
$this->bbcode_second_pass_quote('', '*')*********************************************************************
WARNING! This kernel package will NOT boot without user intervention.

A Kirkwood Flattened Device Tree supporting zImage is
placed in /boot and all mainline supported .dtb and .dts
files are in /boot/dtb for you to prep as appropriate.

Depending on your particular device, you may need to upgrade
your installed U-Boot version, and/or modify your boot env.
Some platforms may need to append the appropriate .dtb to the
end of the zImage and make a uImage from the resulting blob.

If you are not familiar with the care and feeding of a DT
enabled kernel for your device, uninstall this package and
continue to use linux-kirkwood for now.
**********************************************************************

[moonman]

Just make sure you have uboot-pogo_e02 installed and flashed, it will ak you during installation say y to flash. After that dt kernel will just work. It may work with your current uboot installation, if you just installed archlinuxarrm for the first time recently, but it's better to have the latest

[arizonagroovejet]

Well I installed uboot-pogo_e02, rebooted and I'm running a different kernel now, though don't know how to confirm it's the -dt one.

Before reboot I had
$this->bbcode_second_pass_code('', 'Linux alarm 4.4.38-1-ARCH #1 PREEMPT Sat Dec 10 21:36:23 MST 2016 armv5tel GNU/Linux')
Now I have
$this->bbcode_second_pass_code('', 'Linux alarm 4.9.0-1-ARCH #1 PREEMPT Thu Dec 15 07:55:06 MST 2016 armv5tel GNU/Linux')
And also
$this->bbcode_second_pass_code('', '[root@alarm ~]# lsmod | grep cesa
marvell_cesa 26559 2
[root@alarm ~]# ')
So I re-did my speed tests. aes-xts-plain64 and aes-xts-plain are no faster. The time for aes-cbc-plain has come down to about 1:22, though, which is potentially useful since it's now faster than aes-xts-plain64 and aes-xts-plain. Is there perhaps something that would be quicker. I can't find any info on what the hardware supports.