Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 25 Jul 2012 19:52:39 -0500 (CDT)
From:      Robert Bonomi <bonomi@mail.r-bonomi.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: geli - selecting cipher
Message-ID:  <201207260052.q6Q0qdss086796@mail.r-bonomi.com>
In-Reply-To: <alpine.BSF.2.00.1207252055180.9814@wojtek.tensor.gdynia.pl>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> From owner-freebsd-questions@freebsd.org  Wed Jul 25 14:00:27 2012
> Date: Wed, 25 Jul 2012 20:57:30 +0200 (CEST)
> From: Wojciech Puchar <wojtek@wojtek.tensor.gdynia.pl>
> To: freebsd-questions@freebsd.org
> Subject: geli - selecting cipher
>
> i need high speed disk encryption (many disks running in parallel, lots of 
> data movement). i have processor with AES-NI.
>
> geli give 150MB/s performance (tested from/to md ramdisk) using default 
> and recommended AES-XTS
>
> and ca 400MB/s read and 700MB/s write using AES-CBC.
>
> I'm not cryptography expert, is CBC somehow "less secure", and if so is it 
> really a problem?

If you "don't know" what strength encryption you need, and/or the difference
between the methods, you need to hire a data-security professional to examine
your situation and make recommendations appropriate for _your_ needs.

'CBC' -- [C]ypher [B]lock [C]hainig -- is well-suited for strictly -sequential-
data access.   Try reading the blocks of a large (say 10gB) file in *reverse*
order and see what kind of performance you get.  





Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?201207260052.q6Q0qdss086796>