On Fri, Feb 24, 2012 at 09:18:58AM +0100, Milan Broz spake thusly: > RHEL5 uses old dmcrypt code which is stable but has known > limitations. Aside from being single-threaded (not the problem in our case) what are the limitations? My extensive googling hasn't turned up anything relevant short of reading large amounts of the dm-crypt list archive. > The last change in RHEL was backporting suport for XTS mode. I can't find any good info on exactly what this is but I wonder if it is related to block size since. One thing I have been wondering about is block size and CBC. mysqldump is probably doing a lot of tiny reads. Just how much data does dm-crypt have to read to pull a single piece of data from the disk? Could the use of cipher block chaining be causing it to read a lot more than it otherwise would so it can decrypt the piece of data that it needs? I have a basic crypto education (university class, read Applied Cryptography, used it plenty as a sysadmin/security guy) but don't know the details of how the IV is generated from the previous block in dm-crypt. It looks like XTC mode uses the sector number as IV which might result in reading less data. Perhaps I should try ECB mode instead of my current: Cipher mode: cbc-essiv:sha256 > Also please note that this is exactly where RHEL customer > requests helps - and there were no such requests. > So other things get priority. We have RHEL also and can deploy this solution on RHEL and run the question by RedHat if it comes to that, no problem. But it will likely still be on RHEL5. However, this allows me to make a good argument for getting things upgraded to RHEL6. > So if you are using CentOS my advice is simple - try to upgrade > to CentOS6 and test it. It should be in some aspect better but still > database performance over dmcrypt can have problems. I'll try an ECB mode (I am aware of the cryptographic downside as far as identical plaintext blocks go) just to see if that is the issue. Then I'll try RHEL/CentOS 6 and XTC. Thanks! -- Tracy Reed _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
