PDA

View Full Version : Have anyone used full disk encryption? Performance?




DandsM
Feb 27, 2011, 09:37 AM
How's your performance when you have a full disk encryption with file vault?

Thanks



hipauliee
Feb 27, 2011, 09:56 AM
Performance is more or less the same with file vault turned on compared to it being turned off. It took about 10 hours to encrypt 140GB of information. I did notice that my hard drive seems to grumble a little more often than normal with it turned on, maybe it's just because of it being a dev preview OS.

DandsM
Feb 27, 2011, 10:30 AM
10 hours?

Wow that's a lot.

MikhailT
Feb 27, 2011, 10:38 AM
10 hours?

Wow that's a lot.

That's pretty good for 140GB, it's limited by the hard drive speed and the CPU. Encryption always have an overhead, that's part of their nature.

The question should be, how big is the performance hit when this is running after the drive is encrypted.

If the person starts up with an empty drive and turns on FDE, there's nearly nothing to encrypt, thus there's no time required to encrypt it. The encryption works in the background in real time but at what expense.

The other question is, which kind of encryption is this (AES 128-bit or AES 256-bit?) and is it accelerated with OpenCL on the CPU/GPU? That should reduce the CPU usage by a lot and makes it much smoother to use in real-time.

diamond.g
Feb 27, 2011, 10:40 AM
Performance is more or less the same with file vault turned on compared to it being turned off. It took about 10 hours to encrypt 140GB of information. I did notice that my hard drive seems to grumble a little more often than normal with it turned on, maybe it's just because of it being a dev preview OS.

Oh man that is gonna suck for those of us with large iTunes libraries...

MikhailT
Feb 27, 2011, 10:50 AM
Oh man that is gonna suck for those of us with large iTunes libraries...

Yes, I can imagine the pain, it could literally take days if not weeks, to encrypt several TBs worth of iTunes content.

Mr. Retrofire
Feb 27, 2011, 11:00 AM
10 hours?

Wow that's a lot.

Several factors can contribute to such a "bad" result:
1. A low capacity harddisk. That means: No 4k blocks and a low capacity per platter.
2. A processor which does not support the AES-NI.
3. Running software which consumes a lot of system resources, like a virtual machine software or a H.264 encoder.

An ideal machine should have/support:
a) A HDD with 4k blocks and high capacity platters or a SSD.
b) A CPU which supports the AES-NI.
c) A CPU which allows many parallel threads, such as a Sandy Bridge Quad-Core processor (8 threads in hardware, many more (obviously) in software).

hipauliee
Feb 27, 2011, 11:22 AM
In regards to hardware, I've got the 27 inch iMac with the 2.93GHz QC i7 processor, 12 GB of RAM, and the standard 7200RPM 1 TB drive. In Snow Leopard, it took about 18 hours to complete just the home folder encryption. So 10 hours was definitely an improvement in encryption speed, of the whole disk at that!

DandsM
Feb 27, 2011, 11:24 AM
In regards to hardware, I've got the 27 inch iMac with the 2.93GHz QC i7 processor, 12 GB of RAM, and the standard 7200RPM 1 TB drive. In Snow Leopard, it took about 18 hours to complete just the home folder encryption. So 10 hours was definitely an improvement in encryption speed, of the whole disk at that!

That's insane. I think the better way is to encrypt when you're installing the OS for the first time, should be quicker.

Mr. Retrofire
Feb 27, 2011, 11:30 AM
Oh man that is gonna suck for those of us with large iTunes libraries...

1. Create an encrypted "sparse" disk image with Disk Utility (choose AES-128)!
2. Copy your confidential data to the disk image from step 1!
3. Securely delete the confidential data on your HDD, which is not encrypted! For example via (in the terminal):
sudo srm -rszv <path-to-a-folder>

TM will save the encrypted disk image, and your confidential data remains confidential.

Problem solved!

Btw, what "confidential" stuff is in your iTunes library?

Sky Blue
Feb 28, 2011, 02:55 PM
anybody compared it to PGP?
If you sleep the Mac, do you need to de-crypt on wake?

diamond.g
Feb 28, 2011, 03:05 PM
1. Create an encrypted "sparse" disk image with Disk Utility (choose AES-128)!
2. Copy your confidential data to the disk image from step 1!
3. Securely delete the confidential data on your HDD, which is not encrypted! For example via (in the terminal):
sudo srm -rszv <path-to-a-folder>

TM will save the encrypted disk image, and your confidential data remains confidential.

Problem solved!

Btw, what "confidential" stuff is in your iTunes library?

That is the easy way, but AFAIK time machine won't save an encrypted DMG without it being closed.

I was referring to the pain of FDE. Otherwise there isn't anything on my computer that I am that worried about. Now if I were using an SSD...

andyone
Feb 28, 2011, 03:34 PM
CPU is not an issue. Even without the i5/i7 AES instructions a normal Core 2 can do upwards of 200 MB/s. With i5/i7 we're talking about speeds in the order of 1GB/s.

So as soon as the initial conversion is done, you won't notice any difference in performance. As long as you're not streaming encrypted x00 MB/s from your Thunderbolt RAID :D

trinacula90
Mar 1, 2011, 04:03 PM
Does anyone know if the number of hash iterations to generate the encryption key has been increased? Last I checked (http://crypto.nsa.org/vilefault/23C3-VileFault.pdf), Apple used only 1000 iterations of PBKDF2, which is just about useless. Even if your password used the whole base64 character space, it would have to be about 20 characters long to match the security of 128-bit AES.

Mac-Michael
Mar 3, 2011, 11:39 PM
anybody compared it to PGP?
If you sleep the Mac, do you need to de-crypt on wake?

Yes, every time. In fact you cannot uncheck the Require Password option in System Preferences -> Security & Privacy