Retina Macbook Unencrypted vs Filevault 2 Performance

heresjohnny · Jul 12, 2012

Hi,

I always use filevault, and I've seen some people asking around for performance comparions on the rMBP for with filevault vs without.

I ran xbench before enabling filevault, and then again after. Not the greatest test, but here it is.

Before:
Results 469.80
System Info
Xbench Version 1.3
System Version 10.8 (12A269)
Physical RAM 16384 MB
Model MacBookPro10,1
Drive Type APPLE SSD SM512E
Disk Test 469.80
Sequential 304.10
Uncached Write 715.73 439.45 MB/sec [4K blocks]
Uncached Write 508.93 287.95 MB/sec [256K blocks]
Uncached Read 122.29 35.79 MB/sec [4K blocks]
Uncached Read 619.53 311.37 MB/sec [256K blocks]
Random 1032.24
Uncached Write 875.78 92.71 MB/sec [4K blocks]
Uncached Write 787.50 252.11 MB/sec [256K blocks]
Uncached Read 2190.91 15.53 MB/sec [4K blocks]
Uncached Read 993.09 184.28 MB/sec [256K blocks]

After:
Results 406.87
System Info
Xbench Version 1.3
System Version 10.8 (12A269)
Physical RAM 16384 MB
Model MacBookPro10,1
Drive Type MBP15
Disk Test 406.87
Sequential 254.88
Uncached Write 713.24 437.92 MB/sec [4K blocks]
Uncached Write 491.16 277.90 MB/sec [256K blocks]
Uncached Read 93.32 27.31 MB/sec [4K blocks]
Uncached Read 649.65 326.51 MB/sec [256K blocks]
Random 1007.89
Uncached Write 800.64 84.76 MB/sec [4K blocks]
Uncached Write 829.20 265.46 MB/sec [256K blocks]
Uncached Read 1812.71 12.85 MB/sec [4K blocks]
Uncached Read 1039.45 192.88 MB/sec [256K blocks]

vanc · Jul 12, 2012

It's surprisingly fast. I'm now enabling FileVault.

Intel's CPU supports hardware AES encryption, since Sandy Bridge. That could explain why the performance was so good.

Aodhan · Jul 12, 2012

I have always used Filevault and considered it the cornerstone of my security plan. But I have recently read somewhere that unless I shut my machine down completely, Filevault is ineffective. Because I keep my computer in a BookArc in clamshell mode, turning it off would mean pulling it out, opening it up, starting it up, and logging in, and then putting it back in the BookArc. Bit of a hassle. I don't know now what to think about Filevault.

At least I know now that I am not taking a huge performance hit for having it on, even if it isn't doing me much good.

Gregintosh · Jul 12, 2012

Unless you are in some high level position where you are targeted by spies, chances are any would be thieves just want your computer for their own use or resale on eBay/Craigslist.

FileVault is good at protecting your data from those who would just casually come across your data during the course of such a thing.

austinguy23 · Jul 12, 2012

Wirelessly posted

It's true. Any full disk encryption (FDE) software is vulnerable to forensic tools when the computer is in sleep/hibernate mode. This is because the encryption keys can still be accessed when your computer is in that state. For FDE software to function properly, you must fully shut down you computer when not in use. Again, this is true of all FDE software, not just FileVault.

TLewis · Jul 13, 2012

austinguy23 said:
It's true. Any full disk encryption (FDE) software is vulnerable to forensic tools when the computer is in sleep/hibernate mode. This is because the encryption keys can still be accessed when your computer is in that state. For FDE software to function properly, you must fully shut down you computer when not in use. Again, this is true of all FDE software, not just FileVault.

I'm not sure this is true for the rMBP. The attack depends upon an active firewire port during suspend, and the rMBP doesn't have one, except via thunderbolt. Does anyone know if the rMBP thunderbolt-to-firewire port is active during suspend?

RabidMacFan · Jul 13, 2012

TLewis said:
I'm not sure this is true for the rMBP. The attack depends upon an active firewire port during suspend, and the rMBP doesn't have one, except via thunderbolt. Does anyone know if the rMBP thunderbolt-to-firewire port is active during suspend?

The same attack can be performed against Thunderbolt too, because it has Direct Memory Access just like FireWire. You can disable this and make your machine safer by enabling the EFI Firmware Password on your machine. It also requires you to enter a password before booting up from external drives.

Another classic attack against encrypted machines is to take out the memory chips and read the data from there. Since the memory is soldered to the motherboard in the rMBP, I guess that rules out that attack.

appletechpro · Jul 13, 2012

RabidMacFan said:
Another classic attack against encrypted machines is to take out the memory chips and read the data from there. Since the memory is soldered to the motherboard in the rMBP, I guess that rules out that attack.

How would that be possible? RAM contents are volatile.

fizzwinkus · Jul 13, 2012

freezing the ram chips before removing them gives you enough time to read their state before it decays - ram that is soldered on should defeat this technique.

appletechpro · Jul 13, 2012

fizzwinkus said:
freezing the ram chips before removing them gives you enough time to read their state before it decays - ram that is soldered on should defeat this technique.

I don't see that as being practical at all. The only chance the attacker might have was if the system (case and all; RAM chips ready to be plucked) was already open and ready to be shut down by said attacker, in which case they already have the system powered on and in their possession.

The second the system is powered off, there is a very, very, VERY narrow timeframe for any data whatsoever to be extracted from RAM via freezing it. So basically, if your system is already powered off for even 5 seconds and the attacker gets to it, there's no real chance in hell anything significant shall be recovered.

Thoughts?

theAXEDhead · Jul 13, 2012

Excellent details

heresjohnny said:
Hi,

I always use filevault, and I've seen some people asking around for performance comparions on the rMBP for with filevault vs without.

I ran xbench before enabling filevault, and then again after. Not the greatest test, but here it is.

Before:
Results 469.80
System Info
Xbench Version 1.3
System Version 10.8 (12A269)
Physical RAM 16384 MB
Model MacBookPro10,1
Drive Type APPLE SSD SM512E
Disk Test 469.80
Sequential 304.10
Uncached Write 715.73 439.45 MB/sec [4K blocks]
Uncached Write 508.93 287.95 MB/sec [256K blocks]
Uncached Read 122.29 35.79 MB/sec [4K blocks]
Uncached Read 619.53 311.37 MB/sec [256K blocks]
Random 1032.24
Uncached Write 875.78 92.71 MB/sec [4K blocks]
Uncached Write 787.50 252.11 MB/sec [256K blocks]
Uncached Read 2190.91 15.53 MB/sec [4K blocks]
Uncached Read 993.09 184.28 MB/sec [256K blocks]

After:
Results 406.87
System Info
Xbench Version 1.3
System Version 10.8 (12A269)
Physical RAM 16384 MB
Model MacBookPro10,1
Drive Type MBP15
Disk Test 406.87
Sequential 254.88
Uncached Write 713.24 437.92 MB/sec [4K blocks]
Uncached Write 491.16 277.90 MB/sec [256K blocks]
Uncached Read 93.32 27.31 MB/sec [4K blocks]
Uncached Read 649.65 326.51 MB/sec [256K blocks]
Random 1007.89
Uncached Write 800.64 84.76 MB/sec [4K blocks]
Uncached Write 829.20 265.46 MB/sec [256K blocks]
Uncached Read 1812.71 12.85 MB/sec [4K blocks]
Uncached Read 1039.45 192.88 MB/sec [256K blocks]

Many thanks for taking the time to run these tests and post these details. I for one had these questions. It appears that you saw a 15-16% performance hit, which you guys are finding acceptable. I am looking to implement encryption purely so that I have a secure way to wipe the computer prior to some expected future sale, and I understand on SDDs the only real way to do that is through encryption and removal of the keys.

darwinian · Jul 13, 2012

Thanks for posting this. I am also in the camp that uses FileVault and am perfectly happy with the possibility of a performance tradeoff. I had a slight scare because something about XQuartz/X11 appeared to break around the time of the encryption, so some of the software on which I rely was hopelessly broken. At first I thought it had to do with FileVault, but I was not able to confirm that, and now after reinstating FileVault and reinstalling XQuartz, all is well.

RabidMacFan · Jul 16, 2012

Maybe it's a fluke, but my flash storage speeds are actually faster with FileVault enabled. rMBP 2.6Ghz / 16Gb / 512 GB Flash

Without FileVault 2:

With FileVault 2:

heresjohnny · Jul 27, 2012

Here is the same process, on a new 768MB rMBP. Just figured I'd add more data to the thread.

BEFORE:
Results 481.85
System Info
Xbench Version 1.3
System Version 10.8 (12A269)
Physical RAM 16384 MB
Model MacBookPro10,1
Drive Type APPLE SSD SM768E
Disk Test 481.85
Sequential 341.32
Uncached Write 659.55 404.96 MB/sec [4K blocks]
Uncached Write 506.15 286.38 MB/sec [256K blocks]
Uncached Read 148.59 43.48 MB/sec [4K blocks]
Uncached Read 667.88 335.67 MB/sec [256K blocks]
Random 819.10
Uncached Write 565.03 59.82 MB/sec [4K blocks]
Uncached Write 614.50 196.72 MB/sec [256K blocks]
Uncached Read 2244.54 15.91 MB/sec [4K blocks]
Uncached Read 960.85 178.29 MB/sec [256K blocks]

ONE DAY AFTER ENABLING FV2:
Results 393.59
System Info
Xbench Version 1.3
System Version 10.8 (12A269)
Physical RAM 16384 MB
Model MacBookPro10,1
Drive Type BW15r
Disk Test 393.59
Sequential 261.58
Uncached Write 669.76 411.23 MB/sec [4K blocks]
Uncached Write 477.97 270.43 MB/sec [256K blocks]
Uncached Read 98.02 28.69 MB/sec [4K blocks]
Uncached Read 664.58 334.01 MB/sec [256K blocks]
Random 794.61
Uncached Write 563.50 59.65 MB/sec [4K blocks]
Uncached Write 588.50 188.40 MB/sec [256K blocks]
Uncached Read 1871.76 13.26 MB/sec [4K blocks]
Uncached Read 974.85 180.89 MB/sec [256K blocks]

oschrenk · Aug 17, 2012

How long did it take for the initial encryption of the disk? I am planning to employ FileVault 2 on the 256GB rMBP.

Weaselboy · Aug 17, 2012

oschrenk said:
How long did it take for the initial encryption of the disk? I am planning to employ FileVault 2 on the 256GB rMBP.

It will depend on how much data is on the drive. My 2012 MBA 13" encrypted to FV2 with 60GB used in about 45 minutes.

OP>> Thanks for posting this. Good info.

oschrenk · Aug 18, 2012

Weaselboy said:
It will depend on how much data is on the drive. My 2012 MBA 13" encrypted to FV2 with 60GB used in about 45 minutes.

OP>> Thanks for posting this. Good info.

Good to hear. I was hearing number up to 16 hours. As I would encrypt only the base installation of OSX 10.8 it shouldn't take too long.

brennj4 · Mar 27, 2013

appletechpro said:
I don't see that as being practical at all. The only chance the attacker might have was if the system (case and all; RAM chips ready to be plucked) was already open and ready to be shut down by said attacker, in which case they already have the system powered on and in their possession.

The second the system is powered off, there is a very, very, VERY narrow timeframe for any data whatsoever to be extracted from RAM via freezing it. So basically, if your system is already powered off for even 5 seconds and the attacker gets to it, there's no real chance in hell anything significant shall be recovered.

Thoughts?

The trick I have seen successfully used is using compressed air turned upside down to rapidly bring down the temp of the chips while they are still powered on. The attacker then has approximately 10 seconds to transfer the chips into another machine that will supply power to keep the contents of the memory intact. I agree that it is an implausible attack for the most part, and one that requires a very specific set of circumstances, tools, and skills. With that said though, it is indeed very possible.

Samuel Gordon · Nov 23, 2013

Another comparison (MacBook Pro Retina 13" Late 2013 512GB SSD)

Without FileVault 2:

Results 887.96
System Info
Xbench Version 1.3
System Version 10.9 (13A2093)
Physical RAM 8192 MB
Model MacBookPro11,1
Drive Type APPLE SSD SM0512F
Disk Test 887.96
Sequential 593.16
Uncached Write 1328.64 815.76 MB/sec [4K blocks]
Uncached Write 758.86 429.36 MB/sec [256K blocks]
Uncached Read 286.04 83.71 MB/sec [4K blocks]
Uncached Read 849.55 426.98 MB/sec [256K blocks]
Random 1765.33
Uncached Write 1689.60 178.86 MB/sec [4K blocks]
Uncached Write 1379.81 441.73 MB/sec [256K blocks]
Uncached Read 3716.48 26.34 MB/sec [4K blocks]
Uncached Read 1470.16 272.80 MB/sec [256K blocks]

With FileVault 2:

Results 764.05
System Info
Xbench Version 1.3
System Version 10.9 (13A2093)
Physical RAM 8192 MB
Model MacBookPro11,1
Drive Type Macintosh HD
Disk Test 764.05
Sequential 478.53
Uncached Write 1276.63 783.83 MB/sec [4K blocks]
Uncached Write 739.25 418.27 MB/sec [256K blocks]
Uncached Read 194.03 56.78 MB/sec [4K blocks]
Uncached Read 935.42 470.14 MB/sec [256K blocks]
Random 1894.30
Uncached Write 2491.38 263.74 MB/sec [4K blocks]
Uncached Write 1376.54 440.68 MB/sec [256K blocks]
Uncached Read 3202.83 22.70 MB/sec [4K blocks]
Uncached Read 1489.14 276.32 MB/sec [256K blocks]

benguild · Nov 26, 2013

RabidMacFan said:
The same attack can be performed against Thunderbolt too, because it has Direct Memory Access just like FireWire. You can disable this and make your machine safer by enabling the EFI Firmware Password on your machine. It also requires you to enter a password before booting up from external drives.

Another classic attack against encrypted machines is to take out the memory chips and read the data from there. Since the memory is soldered to the motherboard in the rMBP, I guess that rules out that attack.

That's not entirely true.

Don’t panic – if you are using FileVault2 and OS X Lion (10.7.2) and higher, the OS will automatically turn off DMA when locked – you’re still vulnerable to attacks when unlocked, though

http://www.breaknenter.org/projects/inception/#OS_X

... I'm assuming that means that one can DMA your computer when it's unlocked, but not while it's asleep since the system is locked. No?

EDIT:

Actually, according to this:
http://security.stackexchange.com/q...levault-2-while-the-computer-is-in-sleep-mode

destroyfvkeyonstandby - Destroy File Vault Key when going to standby mode.
By default File vault keys are retained even when system goes to standby.
If the keys are destroyed, user will be prompted to enter the password while
coming out of standby mode.(value: 1 - Destroy, 0 - Retain)

I don't understand why this wouldn't be turned on by default? What's the downside? ... I've read from other sources, though, that this command does not work on the rMBP. Maybe because of the SSD, and different sleep/hibernation practices? I haven't been able to verify.

interfuse · Jan 2, 2014

smash said:
http://www.breaknenter.org/projects/inception/#OS_X

... I'm assuming that means that one can DMA your computer when it's unlocked, but not while it's asleep since the system is locked. No?

While FireWire & Thunderbolt provide DMA to your computer, MacBook Air users are totally safe from this attack as MBA's don't have Thunderbolt or FireWire connectivity - only USB, which does not provide DMA (USB connectivity goes via the CPU).

Aside from the performance hit with disk encryption such as FileVault 2, is there any hit to battery performance considering the CPU & drive is doing more work to access your encrypted data?

benguild · Jan 3, 2014

interfuse said:
While FireWire & Thunderbolt provide DMA to your computer, MacBook Air users are totally safe from this attack as MBA's don't have Thunderbolt or FireWire connectivity - only USB, which does not provide DMA (USB connectivity goes via the CPU).

Aside from the performance hit with disk encryption such as FileVault 2, is there any hit to battery performance considering the CPU & drive is doing more work to access your encrypted data?

MacBook Air does have Thunderbolt. You are mistaken.

Retina Macbook Unencrypted vs Filevault 2 Performance

macrumors member

macrumors 6502

macrumors regular

macrumors 68000

macrumors 6502a

macrumors 65816

macrumors 6502

macrumors regular

macrumors 6502a

macrumors regular

macrumors member

macrumors 6502a

macrumors 6502

macrumors member

macrumors newbie

Moderator

macrumors newbie

macrumors newbie

macrumors member

macrumors 6502a

macrumors member

macrumors 6502a

Our Staff