1. Welcome to the new MacRumors forums. See our announcement and read our FAQ

Have anyone used full disk encryption? Performance?

Discussion in 'Mac OS X Lion (10.7)' started by DandsM, Feb 27, 2011.

  1. macrumors member

    How's your performance when you have a full disk encryption with file vault?

  2. macrumors newbie

    Performance is more or less the same with file vault turned on compared to it being turned off. It took about 10 hours to encrypt 140GB of information. I did notice that my hard drive seems to grumble a little more often than normal with it turned on, maybe it's just because of it being a dev preview OS.
  3. macrumors member

    10 hours?

    Wow that's a lot.
  4. macrumors 68040

    That's pretty good for 140GB, it's limited by the hard drive speed and the CPU. Encryption always have an overhead, that's part of their nature.

    The question should be, how big is the performance hit when this is running after the drive is encrypted.

    If the person starts up with an empty drive and turns on FDE, there's nearly nothing to encrypt, thus there's no time required to encrypt it. The encryption works in the background in real time but at what expense.

    The other question is, which kind of encryption is this (AES 128-bit or AES 256-bit?) and is it accelerated with OpenCL on the CPU/GPU? That should reduce the CPU usage by a lot and makes it much smoother to use in real-time.
  5. macrumors demi-god

    Oh man that is gonna suck for those of us with large iTunes libraries...
  6. macrumors 68040

    Yes, I can imagine the pain, it could literally take days if not weeks, to encrypt several TBs worth of iTunes content.
  7. macrumors 601

    Mr. Retrofire

    Several factors can contribute to such a "bad" result:
    1. A low capacity harddisk. That means: No 4k blocks and a low capacity per platter.
    2. A processor which does not support the AES-NI.
    3. Running software which consumes a lot of system resources, like a virtual machine software or a H.264 encoder.

    An ideal machine should have/support:
    a) A HDD with 4k blocks and high capacity platters or a SSD.
    b) A CPU which supports the AES-NI.
    c) A CPU which allows many parallel threads, such as a Sandy Bridge Quad-Core processor (8 threads in hardware, many more (obviously) in software).
  8. macrumors newbie

    In regards to hardware, I've got the 27 inch iMac with the 2.93GHz QC i7 processor, 12 GB of RAM, and the standard 7200RPM 1 TB drive. In Snow Leopard, it took about 18 hours to complete just the home folder encryption. So 10 hours was definitely an improvement in encryption speed, of the whole disk at that!
  9. macrumors member

    That's insane. I think the better way is to encrypt when you're installing the OS for the first time, should be quicker.
  10. macrumors 601

    Mr. Retrofire

    1. Create an encrypted "sparse" disk image with Disk Utility (choose AES-128)!
    2. Copy your confidential data to the disk image from step 1!
    3. Securely delete the confidential data on your HDD, which is not encrypted! For example via (in the terminal):
    sudo srm -rszv <path-to-a-folder>

    TM will save the encrypted disk image, and your confidential data remains confidential.

    Problem solved!

    Btw, what "confidential" stuff is in your iTunes library?
  11. Guest

    Sky Blue

    anybody compared it to PGP?
    If you sleep the Mac, do you need to de-crypt on wake?
  12. macrumors demi-god

    That is the easy way, but AFAIK time machine won't save an encrypted DMG without it being closed.

    I was referring to the pain of FDE. Otherwise there isn't anything on my computer that I am that worried about. Now if I were using an SSD...
  13. macrumors member

    CPU is not an issue. Even without the i5/i7 AES instructions a normal Core 2 can do upwards of 200 MB/s. With i5/i7 we're talking about speeds in the order of 1GB/s.

    So as soon as the initial conversion is done, you won't notice any difference in performance. As long as you're not streaming encrypted x00 MB/s from your Thunderbolt RAID :D
  14. macrumors newbie

    Does anyone know if the number of hash iterations to generate the encryption key has been increased? Last I checked, Apple used only 1000 iterations of PBKDF2, which is just about useless. Even if your password used the whole base64 character space, it would have to be about 20 characters long to match the security of 128-bit AES.
  15. macrumors regular

    Yes, every time. In fact you cannot uncheck the Require Password option in System Preferences -> Security & Privacy

Share This Page