Encrypted File System Performance in OpenBSD 3.2
by francisco roque

  1. Table of Contents

    1. Table of Contents
    2. Introduction
    3. Steps
    4. Results
    5. Problems & Inaccuracies
    6. Conclusion
    7. References
    8. Author, Copyright, License

     

  2. Introduction

    Being curious as to the performance costs of using an encrypted fs on my old 486 laptop, i decided to run some benchmarks comparing direct disk filesystems to encrypted file systems.

     

  3. Steps

    The following steps were performed to setup and run the tests:

     

  4. Results

    Some of the results were surprising, some weren't. The graph below shows the average scores for each run for each device used.

    As expected, direct disk device performed very well. However, I did not expect the unencrypted vnd device to outperform the direct disk device so well for read tests. Closer inspection of the graphs for read tests shows that unencrypted vnd's really outperform direct disk only with lower filesizes (under 4MB).

    Encrypted devices perform well below the unencrypted devices, usually 2-3 times slower. The encrypted vnd device performed better than the cgd device for reads, but the cgd device performed better in writes. Closer inspection of the runs shows that for very small file sizes, encrypted vnd works much better than cgd in read tests, while cgd remains more constant throughout filesizes for write tests.


    P-200 summary: large       P-100 summary: small, large

    From these results, we can determine what device type will best suit what application. If your application requires more read operations than write, then encrypted vnd is the way to go. If your application requires more write operations than read, then cgd should deliver better performance.

    Also, it is worth noting that if you happen to have small files and happen to be performing many read operations, you may want to consider unencrypted vnd devices over direct disk devices.

    Here are large graphs of all the tests run on all the filesystems.

    P-100:
    read, reread, random read, backward read, stride read, fread, refread, write, rewrite, random write, record rewrite, fwrite, refwrite

    P-200:
    read, reread, random read, backward read, stride read, fread, refread, write, rewrite, random write, record rewrite, fwrite, refwrite

    cgd/vnd comparison on P-100/200:
    read, reread, random read, backward read, stride read, fread, refread, write, rewrite, random write, record rewrite, fwrite, refwrite

     

  5. Problems & Inaccuracies

    There are various problems and inaccuracies with the process and these results that may lead to incorrect decisions for other applications.

     

  6. Conclusion

    In terms of performance, both cgd and vnd have their place. Since vnd performs so much better in reads for very small files, i feel that overall cgd devices are better. However, i am biased as i feel that, once compiled in, the setup and configuration of a cgd device is easier than a vnd device. It should also be noted that were cgd devices ported to use OpenBSD's crypt subsystem instead of a port of the NetBSD system, then cgd might also take advantage of hardware based crypto accelerators. Though this may not help my laptop, it might certainly help a server with encrypted filesystem needs.

    The decision as to whether a cgd or vnd device is better for your needs will really depend on those specific needs; hopefully this document will help you decide.

     

  7. References

    Manpages:
    vnd(4)

    Other howto's and docs:
    the cgd on OpenBSD page by Ted Unangst, the original porter of cgd.
    TCFS the Transparent Cryptographic File System. The source shipped with OpenBSD 3.2 panic'd my kernel. Here are a couple pages about using TCFS on OpenBSD: 1, 2.
    CFS an encrypted file system implemented via an NFS interface.
    IOzone Filesystem Benchmark - very useful tool for measuring disk I/O.

     

  8. Author, Copyright, License

    The author of this document is francisco roque, who can be found at
    http://www.blackant.net/

    This document is copyright francisco roque 2002.

    This document is released under BSD style license and may be used in whole or part for anything so long as this section remains intact.

    The author takes no responsibility for damages incurred by following the steps in this document, including but not limited to the loss of data or damage to hardware. Good Luck.