Hi All, On creating a fully encrypted para-virtualised Xen guest system, is all the data stored on the hard-disk fully encrypted? If so when is the encryption done. The shared memory is used to communicate between dom0 and domU. Is the encryption done before data is put in the shared memory? Does not the whole encryption procedure slow down the system? -- Reehan Ahmed Khan IL MT-2009046 +91-9342736116 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
On 07/06/2010 11:13 AM, ReehanAhmedKhan I L wrote:> On creating a fully encrypted para-virtualised Xen guest system, is > all the data stored on the hard-disk fully encrypted? If so when is > the encryption done. > The shared memory is used to communicate between dom0 and domU. Is > the encryption done before data is put in the shared memory? > Does not the whole encryption procedure slow down the system?Xen has no specific support for encrypting disk data. You can use whatever mechanisms the dom0 and/or domU kernels support. If you''re using Linux, for example, you can configure your setup to encrypt within the domU so that the dom0 domain only ever sees encrypted data, or you can encrypt in dom0. The performance effects really depend on your workload and system, but my laptop with an encrypted ssd has used 19min 35s for disk encryption over the last 13 days of uptime. J _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
On 07/06/10 20:52, Jeremy Fitzhardinge wrote:> On 07/06/2010 11:13 AM, ReehanAhmedKhan I L wrote: >> On creating a fully encrypted para-virtualised Xen guest system, is >> all the data stored on the hard-disk fully encrypted? If so when is >> the encryption done. >> The shared memory is used to communicate between dom0 and domU. Is >> the encryption done before data is put in the shared memory? >> Does not the whole encryption procedure slow down the system? > > Xen has no specific support for encrypting disk data. You can use > whatever mechanisms the dom0 and/or domU kernels support. If you''re > using Linux, for example, you can configure your setup to encrypt within > the domU so that the dom0 domain only ever sees encrypted data, or you > can encrypt in dom0. > > The performance effects really depend on your workload and system, but > my laptop with an encrypted ssd has used 19min 35s for disk encryption > over the last 13 days of uptime. >I know this is really off-topic, but I''m curious whether you have a Core i5/i7 processor with an AESNI instruction, and if you have, if you got the aesni-intel module to work properly with your kernel? I noticed that using LUKS with a very fast SSD, that normally could have a read throughput of around 200MB/s, significantly limits the performance down to around 80-100 MB/s, with the bottleneck being the kcryptd process easting 100% CPU (core). joanna. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
On 07/07/2010 04:28 AM, Joanna Rutkowska wrote:> I know this is really off-topic, but I''m curious whether you have a Core > i5/i7 processor with an AESNI instruction, and if you have, if you got > the aesni-intel module to work properly with your kernel? > > I noticed that using LUKS with a very fast SSD, that normally could have > a read throughput of around 200MB/s, significantly limits the > performance down to around 80-100 MB/s, with the bottleneck being the > kcryptd process easting 100% CPU (core). >No, this is a Core2 laptop. I don''t do anything intensely IO bound on it (mostly seek-bound stuff), so I wouldn''t notice a kcryptd performance regression too much. (Or, perhaps to be more accurate, when I switch to ssd I also added encryption, so the ssd still seems like marvel of speed compared to the hdd, even with the overhead.) J _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel