Hi Mike, unless you are a crypto-expert, go with the cryptsetup defaults. For not too old versions, these are aes-xts-plain64 for LUKS and PBKDF2-sha1 for the key protection (no, SHA-1 is not insecure when used like here...). Regards, Arno On Fri, Sep 25, 2015 at 19:33:16 CEST, Mike Nagie wrote: > Hi all, > > I'm going to reinstall my ArchLinux and I thought I would try encrypting > my home folder with dm-crypt. > I read this and ArchWiki several times, but I'm still so confused. > I'd like to keep my system as fast as just possible, sooo here is my > benchmark results: > > PBKDF2-sha1 644088 iterations per second > PBKDF2-sha256 391259 iterations per second > PBKDF2-sha512 321254 iterations per second > PBKDF2-ripemd160 410241 iterations per second > PBKDF2-whirlpool 151703 iterations per second > # Algorithm | Key | Encryption | Decryption > aes-cbc 128b 124.2 MiB/s 143.3 MiB/s > serpent-cbc 128b 49.9 MiB/s 194.5 MiB/s > twofish-cbc 128b 112.4 MiB/s 211.2 MiB/s > aes-cbc 256b 96.4 MiB/s 107.1 MiB/s > serpent-cbc 256b 49.9 MiB/s 194.2 MiB/s > twofish-cbc 256b 112.4 MiB/s 210.9 MiB/s > aes-xts 256b 141.5 MiB/s 143.3 MiB/s > serpent-xts 256b 201.1 MiB/s 191.4 MiB/s > twofish-xts 256b 207.9 MiB/s 209.1 MiB/s > aes-xts 512b 108.5 MiB/s 106.2 MiB/s > serpent-xts 512b 200.1 MiB/s 191.5 MiB/s > twofish-xts 512b 207.8 MiB/s 209.3 MiB/s > > So first thing; this is a 1TiB HDD. Do I need plain64? Or is there any > drawbacks? > > Second: Everybody talks about the aes. It seems the twofish is faster > here. Does this really matters? I mean this is a HDD, I guess it never > does anything at that pace. (207MiB/s) > > Third: Since xts is supposed to be safer I think it's justified. > > Fourth: Key size I'm totally lost. Why 512b (even though it's splitted > to 256) faster than the others? I'm sure something is not right with my theory > else who would use 256b?! Do encrypted files bigger with 512b or > what is the point here? > > Fifth: Hash: I'm thinking about sha256. > > Sixth: iteration time. I misunderstood the benchmark. I thought > sha256 391259 iterations per second > means 391259 iterations per second. However I set the iteration time to > 391259 and well... it needless to say, it didn't open the encrypted > partition in a second, more like in 10 minutes. So I have no idea how > should I interpret this one. > > And lastly: --use-random or --use-urandom. I didn't get this one at all. > > Thank you for your answer in advance > > Mike > -- > You are so lucky! > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
