Beiträge von gprovost

Zitat von ryecoaaron

If I add a list of ciphers, I would add all that are supported but a note could mention other things. Are there any boards that support a different cipher? I don't want to make a change just for the helios.

I don't think you need to bother listing all the supported ciphers because the list would be super long since many possible combination. It's better to limit the choice to the best 2 ciphers which are recommended by most linux distrib, including cryptsetup itself :
- aes-xts-plain64
- aes-cbc-essiv:sha256

I did a bit of research and most ARM SoC have crypto engine
- Marvell
- Rockchip
- AllWinner
- Amlogic
- NXP

The basic features of their encryption and decryption engine are :
AES 128/192/256 key mode
ECB/CBC chain mode
SHA-1, SHA-256, and MD5 hash func

Actually I found that some last gen ARM SoC familly even support XTS chain mode. But overall I think most ARM SoC would get better performance by using aes-cbc-essiv:sha256 instead of aes-xts-plain64.

I would recommend however to leave aes-xts-plain64 as the default and let user choose explicitly the other cipher if needed. Up to the board developer to advertise such improvement tweaks

Hi, I was going to rise an issue (improvement request) on the LUKS Plugin github, but I guess it's better to first discuss it here.

Some ARM based boards have hardware encryption acceleration engine, it is the case of the Helios4 board based on the Marvell Armada388 that has CESA engines. However those hardware encryption engines are limited in which cipher they do support. CESA does not accelerate aes-xts-plain64 cipher which is the default cipher for LUKS and actually I don't think there is any SoC out there that can accelerate XTS.

For user to enjoy hardware encryption acceleration provided by CESA engine they should choose chiper aes-cbc-essiv:sha256 for their disk encryption.

Could we imagine an advance settings where user can choose the cipher when creating encrypted device on OMV ? Limited to 2 choices :
- aes-xts-plain64 (default)
- aes-cbc-essiv:sha256

I created a dirty patch for people to hard code in your plugin the right cipher in the case of Helios4. I could try to create the feature describe above, but I need to understand how the OMV plugin framework works first

Here a cryptsetup benchmark run on Helios4 and you could see that user can enjoy a significant boost by choosing the right cipher.

# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1       201959 iterations per second for 256-bit key
PBKDF2-sha256     257508 iterations per second for 256-bit key
PBKDF2-sha512     162217 iterations per second for 256-bit key
PBKDF2-ripemd160  175464 iterations per second for 256-bit key
PBKDF2-whirlpool   23523 iterations per second for 256-bit key
#  Algorithm | Key |  Encryption |  Decryption
     aes-cbc   128b   101.9 MiB/s   104.9 MiB/s
 serpent-cbc   128b    24.6 MiB/s    32.0 MiB/s
 twofish-cbc   128b    39.0 MiB/s    44.4 MiB/s
     aes-cbc   256b    92.2 MiB/s    94.6 MiB/s
 serpent-cbc   256b    25.2 MiB/s    32.0 MiB/s
 twofish-cbc   256b    39.7 MiB/s    44.4 MiB/s
     aes-xts   256b    62.0 MiB/s    55.7 MiB/s
 serpent-xts   256b    29.4 MiB/s    31.9 MiB/s
 twofish-xts   256b    43.1 MiB/s    44.4 MiB/s
     aes-xts   512b    48.2 MiB/s    41.7 MiB/s
 serpent-xts   512b    29.7 MiB/s    31.9 MiB/s
 twofish-xts   512b    43.5 MiB/s    44.3 MiB/s

More benchmark here

Zitat von sirleon

EDIT2: I bought 2 - sadly, HK Post is only avalible for Germany if only one is bought. Is this correct @gprovost ?

Yes this HK Post e-Express option has a max weight limit, 2 kits will exceed this limit therefore you have to choose one of the other shipping options.

Zitat von sirleon

@ekent I've also thought about buying 1 or 2 helios4. If you also live in germany and intereseted in helios4, we may order together to save shipping costs. We are not in a hurry because Kobol statet this:

Well based on the current traction of the Helios4 3rd campaign, I don't think we will manufacture that much of extra kit anymore... we might end up just manufacturing few dozens more on top. So if you want to be guaranty to get an Helios4 you should order before the end of the campaign. I must admit this was a complete marketing newbie mistake I did, because now potential buyers are being in 'wait-and-see' mode.

To try to boost a bit the sale we are now including a free OLED screen for the first 300 orders https://blog.kobol.io/2019/03/04/3rd-campaign-update/