Posts by gprovost

    If I add a list of ciphers, I would add all that are supported but a note could mention other things. Are there any boards that support a different cipher? I don't want to make a change just for the helios.

    I don't think you need to bother listing all the supported ciphers because the list would be super long since many possible combination. It's better to limit the choice to the best 2 ciphers which are recommended by most linux distrib, including cryptsetup itself :
    - aes-xts-plain64
    - aes-cbc-essiv:sha256


    I did a bit of research and most ARM SoC have crypto engine
    - Marvell
    - Rockchip
    - AllWinner
    - Amlogic
    - NXP


    The basic features of their encryption and decryption engine are :
    AES 128/192/256 key mode
    ECB/CBC chain mode
    SHA-1, SHA-256, and MD5 hash func



    Actually I found that some last gen ARM SoC familly even support XTS chain mode. But overall I think most ARM SoC would get better performance by using aes-cbc-essiv:sha256 instead of aes-xts-plain64.


    I would recommend however to leave aes-xts-plain64 as the default and let user choose explicitly the other cipher if needed. Up to the board developer to advertise such improvement tweaks ;-)

    Hi, I was going to rise an issue (improvement request) on the LUKS Plugin github, but I guess it's better to first discuss it here.


    Some ARM based boards have hardware encryption acceleration engine, it is the case of the Helios4 board based on the Marvell Armada388 that has CESA engines. However those hardware encryption engines are limited in which cipher they do support. CESA does not accelerate aes-xts-plain64 cipher which is the default cipher for LUKS and actually I don't think there is any SoC out there that can accelerate XTS.


    For user to enjoy hardware encryption acceleration provided by CESA engine they should choose chiper aes-cbc-essiv:sha256 for their disk encryption.


    Could we imagine an advance settings where user can choose the cipher when creating encrypted device on OMV ? Limited to 2 choices :
    - aes-xts-plain64 (default)
    - aes-cbc-essiv:sha256


    I created a dirty patch for people to hard code in your plugin the right cipher in the case of Helios4. I could try to create the feature describe above, but I need to understand how the OMV plugin framework works first :/


    Here a cryptsetup benchmark run on Helios4 and you could see that user can enjoy a significant boost by choosing the right cipher.





    More benchmark here


    @ekent I've also thought about buying 1 or 2 helios4. If you also live in germany and intereseted in helios4, we may order together to save shipping costs. We are not in a hurry because Kobol statet this:

    Well based on the current traction of the Helios4 3rd campaign, I don't think we will manufacture that much of extra kit anymore... we might end up just manufacturing few dozens more on top. So if you want to be guaranty to get an Helios4 you should order before the end of the campaign. I must admit this was a complete marketing newbie mistake I did, because now potential buyers are being in 'wait-and-see' mode.


    To try to boost a bit the sale we are now including a free OLED screen for the first 300 orders ;-) https://blog.kobol.io/2019/03/04/3rd-campaign-update/