Uwe Hermann | A slightly paranoid Debian developer

I'm going to set up a new laptop system soonish (more on that later) which shall have a completely encrypted hard drive. Hence, I'm testing a few setups wrt security, performance, manageability and fault-tolerance.

Here's a few performance tests I did on an 80 GB laptop hard drive (in an Intel Celeron based laptop, 1.7 GHz, 256 MB RAM, Linux 2.6.17, Debian unstable).
I ran bonnie++ (with no options) and hdparm as hdparm -tT /dev/hda each time. I haven't put too much thought into the test setup, so if I made some stupid mistakes, please let me know.

Unencrypted plain ext3 partitions:

• Extra partitions for /, /boot, /usr, /var, /tmp, /home, and swap (no LVM).
• Optionally, SELinux enabled on that system (targeted policy in permissive mode).

bonnie++:

Version  1.03       ------Sequential Output------ --Sequential Input- --Random-
                    -Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
Machine        Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP  /sec %CP
forest         432M 19857  84 21831  10  9536   4 16355  58 22165   3 148.8   0
                    ------Sequential Create------ --------Random Create--------
                    -Create-- --Read--- -Delete-- -Create-- --Read--- -Delete--
              files  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP
                 16  1650  98 +++++ +++ +++++ +++  1734  98 +++++ +++  3820  96
forest,432M,19857,84,21831,10,9536,4,16355,58,22165,3,148.8,0,16,1650,98,+++++,
+++,+++++,+++,1734,98,+++++,+++,3820,96

bonnie++ with SELinux:

Version  1.03       ------Sequential Output------ --Sequential Input- --Random-
                    -Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
Machine        Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP  /sec %CP
forest         432M 20321  90 21036  13  9473   5 16742  61 21978   4 148.1   0
                    ------Sequential Create------ --------Random Create--------
                    -Create-- --Read--- -Delete-- -Create-- --Read--- -Delete--
              files  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP
                 16  1398  98 +++++ +++ +++++ +++  1473  98 +++++ +++  3305  98
forest,432M,20321,90,21036,13,9473,5,16742,61,21978,4,148.1,0,16,1398,98,+++++,
+++,+++++,+++,1473,98,+++++,+++,3305,98

hdparm:

 Timing cached reads:   1416 MB in  2.00 seconds = 707.48 MB/sec
 Timing buffered disk reads:   82 MB in  3.06 seconds =  26.80 MB/sec

hdparm with SELinux:

 Timing cached reads:   1404 MB in  2.00 seconds = 700.59 MB/sec
 Timing buffered disk reads:   80 MB in  3.02 seconds =  26.53 MB/sec

Ext3 partitions on top of LVM on top of dm-crypt:

• One partition which is encrypted using dm-crypt (aes-cbc-essiv:sha256 mode, AES, 256 bit key size)
• On top of that an LVM2 system, with extra partitions for /, /boot, /usr, /var, /tmp, /home, and swap.
• Optionally, SELinux enabled on that system (targeted policy in permissive mode).

bonnie++:

Version  1.03       ------Sequential Output------ --Sequential Input- --Random-
                    -Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
Machine        Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP  /sec %CP
forest         464M 11149  54 16660  20  6461   5  7472  58 11129   5 136.4   0
                    ------Sequential Create------ --------Random Create--------
                    -Create-- --Read--- -Delete-- -Create-- --Read--- -Delete--
              files  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP
                 16  1564  98 +++++ +++ +++++ +++  1650  98 +++++ +++  2640  97
forest,464M,11149,54,16660,20,6461,5,7472,58,11129,5,136.4,0,16,1564,98,+++++,
+++,+++++,+++,1650,98,+++++,+++,2640,97

bonnie++ with SELinux:

Version  1.03       ------Sequential Output------ --Sequential Input- --Random-
                    -Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
Machine        Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP  /sec %CP
forest         464M  9878  52 12138  11  5457   6  6834  56 11037   5 137.2   0
                    ------Sequential Create------ --------Random Create--------
                    -Create-- --Read--- -Delete-- -Create-- --Read--- -Delete--
              files  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP
                 16  1426  97 +++++ +++ +++++ +++  1451  98 +++++ +++  2433  97
forest,464M,9878,52,12138,11,5457,6,6834,56,11037,5,137.2,0,16,1426,97,+++++,
+++,+++++,+++,1451,98,+++++,+++,2433,97

hdparm:

 Timing cached reads:   1408 MB in  2.00 seconds = 704.01 MB/sec
 Timing buffered disk reads:   80 MB in  3.02 seconds =  26.53 MB/sec

hdparm with SELinux:

 Timing cached reads:   1396 MB in  2.00 seconds = 698.06 MB/sec
 Timing buffered disk reads:   82 MB in  3.07 seconds =  26.69 MB/sec

So yes, there is some overhead, but it's nothing too serious, IMHO. And quite honestly, I don't care too much about performance here — security is more important than performance. I think you'll agree; if you don't agree now, you will agree with me on the very day someone steals your laptop ;-)