Oct 312017

If you are using GELI to encrypt ZFS disk as I do, there is a slight issue with default NAS4Free configuration. Disk access is slow and everything points toward encryption as culprit.

To test encryption speed, one approach can be to load zero geom and encrypt a few bytes.

# kldload geom_zero
# geli onetime -e aes-xts -l 128 -s 4096 /dev/gzero
# dd if=/dev/gzero.eli of=/dev/null bs=1M count=256

My result was around 40 MB/s. Definitely not what I expected nor it comes even close to what’s needed to support full disk speed.

Further we can see that hardware crypto is supported and that GELI is not using it:

# dmesg | grep AESNI

# geli list | grep Crypto
Crypto: software
Crypto: software
Crypto: software

By default NAS4Free doesn’t load AES encryption module. And AES without hardware support is not as impressive as one would expect.

Fortunately, it is simple to load it. Going to System, Advanced, loader.conf, and adding aesni_load=YES is all that is needed. After reboot, we can check if module is properly loaded:

# kldstat | grep aesni.ko
 7    1 0xffffffff8ab3d000 bd50     aesni.ko

# geli list | grep Crypto
Crypto: hardware
Crypto: hardware
Crypto: hardware

If one repeats previous test, now speed is more reasonable 350 MB/s. Manually enabling hardware encryption module definitely pays off!

Here are results I saw on my ZFS machines:

Processor Mode Without AES-NI With AES-NI
Intel Core i3-4010U @1.70GHz XTS 60 MB/s 780 MB/s
CBC 75 MB/s 750 MB/s
Intel Atom C2558 @2.40GHz XTS 40 MB/s 350 MB/s
CBC 45 MB/s 350 MB/s

PS: Yes, this works for FreeNAS too.

PPS: You can also load module for temporary testing using kldload aesni.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.