• Storing files
• Communication over network (IPSEC, OpenVPN, WPA2, …)

I’ll focus on the first point in this article using LUKS (Linux Unified Key Setup).

To use LUKS and the crypto block, some kernel adjustments have to be made:

Device Drivers  --->
   [*] Multiple devices driver support (RAID and LVM)  --->
   <*>   Device mapper support
   <*>     Crypt target support

-*- Cryptographic API  --->
   -*- Cryptographic algorithm manager
   -*- CBC support
   {*} ECB support
   {*} AES cipher algorithms
   <*> AES cipher algorithms (i586)
   -*-   MD5 digest algorithm
   <*> SHA224 and SHA256 digest algorithm
   [*] Hardware crypto devices  --->
   <*>   Support for the Geode LX AES engine

If you want to test with and without crypto acceleration, I recommend compiling the last one as a module. After compiling and rebooting we have to install LUKE userspace tools:

emerge -v cryptsetup

That’s all. Now we’re ready to test. As we want to bandwidth limitation from a slow CF card or USB stick, we create a memory loopback device for testing purposes with a size of 128 MB:

mkdir /tmp/tmpfs
mount -t tmpfs none /tmp/tmpfs -o size=130m
dd if=/dev/zero of=/tmp/tmpfs/test.img count=131072 bs=1024
losetup /dev/loop1 /tmp/tmpfs/test.img

The tmpfs ramdisk is with intent 130MB large, as the maximum default value is 50% of RAM and with that 128 MB wouldn’t fit in.

At first, we want to measure software AES performance. For this, we have to assure, that the driver for the crypto block is not loaded. You can get a list of all loaded modules with

lsmod

If there’s geode_aes listed, remove it by

rmmod geode_aes

Now we can create a LUKS device by

cryptsetup -y --cipher aes --key-size 128 luksFormat /dev/loop1

Mind the key size of 128 bit as the Geode crypto block is only capable of 128 bit keys. You have to confirm this command with a uppercase YES and entering the passphrase twice:

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

Now we can open the container. Run

cryptsetup luksOpen /dev/loop1 test

and enter the previous set passphrase:

Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

The container is now under /dev/mapper/test and we can do some write test by running dd:

dd if=/dev/zero of=/dev/mapper/test bs=16384

After a few seconds, dd will terminate, complaining no space left:

dd: writing `/dev/mapper/test': No space left on device
8160+0 records in
8159+0 records out
133689344 bytes (134 MB) copied, 18.574 s, 7.2 MB/s

That’s OK. We can read here there 7.2 MB/s throughput with crypto block. After closing the container with

cryptsetup luksClose test

we can load the crypto block driver by

modprobe geode_aes

and can run the same commands as above. We’ll get a

dd: writing `/dev/mapper/test': No space left on device
8160+0 records in
8159+0 records out
133689344 bytes (134 MB) copied, 4.88397 s, 27.4 MB/s

noticing that we’ve got a 27.4 MB/s throughput now! This also works with ESSIV as well. It’s a bit slower, but more secure. You can to alter the luksFormat to use it:

cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 128 luksFormat /dev/loop1

I measured 7.0 MB/s without and 24.0 MB/s with crypto block. After all testing don’t forget to remove the loopback device and umount the ramdisk:

losetup  -d /dev/loop1
umount /tmp/tmpfs/
rmdir /tmp/tmpfs

Now you can setup your real crypto disk. You might want to initialize your partition with random data before creating the luksContainter. dd is once again your friend:

dd if=/dev/urandom of=/dev/XXX bs=1M

Concerning the use of the crypto block for network encryption: By chance it noticed that if I use WPA2 with AES the geode_aes has a 2 in the used row of lsmod:

Module                  Size  Used by
lib80211_crypt_ccmp     4808  2
ipw2200               115904  0
libipw                 22792  1 ipw2200
geode_aes               5464  2
lib80211                4568  3 lib80211_crypt_ccmp,ipw2200,libipw

So it seems, like WPA2 is using this as well. If you know a method to confirm this, let me know.