4

When I do a benchmark test

modprobe tcrypt sec=2 mode=200

I see that different encryption block sizes are used

test 0 (128 bit key, 16 byte blocks): 4460604 operations in 2 seconds (71369664 bytes)
test 1 (128 bit key, 64 byte blocks): 1747179 operations in 2 seconds (111819456 bytes)
test 2 (128 bit key, 256 byte blocks): 517747 operations in 2 seconds (132543232 bytes)
test 3 (128 bit key, 1024 byte blocks): 135801 operations in 2 seconds (139060224 bytes)
test 4 (128 bit key, 8192 byte blocks): 17161 operations in 2 seconds (140582912 bytes)

Question

I use 4k block size on my harddisk.

When creating a LUKS partition, is it then possible to set the encryption block size?

If not, which encryption block size is then used?

Sandra
  • 10,303
  • 38
  • 112
  • 165
  • BTW, I am wondering why if you might be able to get more useful info on the security site. Your question is a bit beyond what most sysadmins care about I think. – Zoredache Dec 29 '12 at 01:07
  • I'm a little curious as to what you're doing. This isn't something I'd come in contact with as a systems engineer. – ewwhite Dec 29 '12 at 01:09
  • @ewwhite I wanted to use the encryption block size that gave the best performance, but as Zoredache pointed out in his last comment, the block size is fixed. The word "blocks" is very misleading from the tcrypt output it turns out. – Sandra Dec 29 '12 at 02:25
  • It looks like any block size over 256 bytes will provide about the same performance, 63-67MB/s. – David Schwartz Dec 29 '12 at 10:13

1 Answers1

2

The encryption block size depends on the cipher you are using. Many common ciphers have a fixed block size.

For example - AES has a block size of 128 bits (16 bytes), but it permits key sizes of 128, 192, and 256 bits. - Blowfish, has a 64 bit block size (8 bytes) and a variable key size from 32 to 448 bits. - DES/DES3, has a 64 bit block size (8 bytes). 3DES, supports key sizes of 168, 112, and 56 bits.

As far as I know, every common cipher in uses has a relatively very small block size, when compared against the sector sizes of drives (512/4096 bytes) of a drive.

In any case, I suspect the confusion is in what the tcrypt module is reporting to you. The block size mentioned is telling you the size of the chunk of data that is pased to the encryption function. It isn't referring to the encryption block size used by the cipher.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • 1
    What is interesting is that the LUKS spec http://code.google.com/p/cryptsetup/wiki/Specification mentions in chapter 2.1: "If the encryption primitive requires a certain block size, incomplete blocks are padded with zero." But not how and who that decides on the size. The pseudocode example gives the impression that it preforms a benchmark test. – Sandra Dec 29 '12 at 00:42
  • Do you think "encryption block size" = "key size"? It would make a lot of sense, just how to tell? – Sandra Dec 29 '12 at 00:43
  • 2
    The key size and block size are not the same thing. `who that decides on the size` for algorithms with a fixed block size, the size was defined by the mathematician who designed the algorithm. It is embodied in the standards, and source code. From a practical perspective, if you want to know what the block sizes and key sizes are, just look at the `/proc/crypto`/ file. – Zoredache Dec 29 '12 at 00:57