[dm-crypt] Twofish 3-way

[dm-crypt] Twofish 3-way

[Heinz Diehl]

Hi,

since kernel 3.2 there is a new parallelized variant of twofish
available via

CONFIG_CRYPTO_TWOFISH_X86_64_3WAY

How can I use it with LUKS/dmcrypt? My current config contains the 
following:

# CONFIG_CRYPTO_TWOFISH is not set
CONFIG_CRYPTO_TWOFISH_COMMON=y
CONFIG_CRYPTO_TWOFISH_X86_64=y
CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y

How should these options be set up properly?

Thanks,
Heinz.

Re: [dm-crypt] Twofish 3-way

[Milan Broz]

On 01/12/2012 04:06 PM, Heinz Diehl wrote:
> Hi,
>
> since kernel 3.2 there is a new parallelized variant of twofish
> available via
>
> CONFIG_CRYPTO_TWOFISH_X86_64_3WAY
>
> How can I use it with LUKS/dmcrypt? My current config contains the
> following:
>
> # CONFIG_CRYPTO_TWOFISH is not set
> CONFIG_CRYPTO_TWOFISH_COMMON=y
> CONFIG_CRYPTO_TWOFISH_X86_64=y
> CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
>
> How should these options be set up properly?

You cannot set directly which version is used through dmcrypt interface,
(without patching kernel source) but cryptoAPI should detect the fastest
algorithm automatically.

For separate modules, force load just that module and unload all other
should perhaps work as well (before crypto device activation).

(see /proc/crypto and lsmod modules reference count to check which one
is really used)

Milan

Re: [dm-crypt] Twofish 3-way

[Arno Wagner]

Do I understand this right that this can only work if you
have independent disk accesses? For a single sector, the
mode would prevent any paralellization (unless you set 
ECB, which is definitely not a good idea).

Arno

On Thu, Jan 12, 2012 at 04:22:59PM +0100, Milan Broz wrote:
> On 01/12/2012 04:06 PM, Heinz Diehl wrote:
> >Hi,
> >
> >since kernel 3.2 there is a new parallelized variant of twofish
> >available via
> >
> >CONFIG_CRYPTO_TWOFISH_X86_64_3WAY
> >
> >How can I use it with LUKS/dmcrypt? My current config contains the
> >following:
> >
> ># CONFIG_CRYPTO_TWOFISH is not set
> >CONFIG_CRYPTO_TWOFISH_COMMON=y
> >CONFIG_CRYPTO_TWOFISH_X86_64=y
> >CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
> >
> >How should these options be set up properly?
> 
> You cannot set directly which version is used through dmcrypt interface,
> (without patching kernel source) but cryptoAPI should detect the fastest
> algorithm automatically.
> 
> For separate modules, force load just that module and unload all other
> should perhaps work as well (before crypto device activation).
> 
> (see /proc/crypto and lsmod modules reference count to check which one
> is really used)
> 
> Milan
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell 

Re: [dm-crypt] Twofish 3-way

[Milan Broz]

On 01/12/2012 05:28 PM, Arno Wagner wrote:
> Do I understand this right that this can only work if you
> have independent disk accesses? For a single sector, the
> mode would prevent any paralellization (unless you set
> ECB, which is definitely not a good idea).

Hm, right. But I think XTS can process blocks in one sector
in parallel as well, but I just saw generic tcrypt tests
(http://www.spinics.net/lists/linux-crypto/msg06351.html),
not dmcrypt based numbers...

Milan

Re: [dm-crypt] Twofish 3-way

[Heinz Diehl]

On 12.01.2012, Milan Broz wrote: 

> Hm, right. But I think XTS can process blocks in one sector
> in parallel as well, but I just saw generic tcrypt tests
> (http://www.spinics.net/lists/linux-crypto/msg06351.html),
> not dmcrypt based numbers...

This raises an important question: is there any improvement in using
3-way twofish with LUKS/dmcrypt at all?