You are not logged in.

Pages: 1

#1 2026-03-28 09:18:31

simonhiggs
Member
Registered: 2015-02-16
Posts: 12

Encryption options for LUKS mode

Hello,
Should I just use the default options for cryptsetup luksFormat, or is there any performance gains to be had with different parameters?
Thanks, Simon.

Default compiled-in metadata format is LUKS2 (for luksFormat action).

LUKS2 external token plugin support is enabled.
LUKS2 external token plugin path: /usr/lib/cryptsetup.

Default compiled-in key and passphrase parameters:
	Maximum keyfile size: 8192kB, Maximum interactive passphrase length 512 (characters)
Default PBKDF for LUKS1: pbkdf2, iteration time: 2000 (ms)
Default PBKDF for LUKS2: argon2id
	Iteration time: 2000, Memory required: 1048576kB, Parallel threads: 4

Default compiled-in device cipher parameters:
	loop-AES: aes, Key 256 bits
	plain: aes-xts-plain64, Key: 256 bits, Password hashing: sha256
	LUKS: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
	LUKS: Default keysize with XTS mode (two internal keys) will be doubled.
$ cryptsetup benchmark 
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1      4563986 iterations per second for 256-bit key
PBKDF2-sha256    9279433 iterations per second for 256-bit key
PBKDF2-sha512    2723574 iterations per second for 256-bit key
PBKDF2-ripemd160 1342606 iterations per second for 256-bit key
PBKDF2-whirlpool 1131149 iterations per second for 256-bit key
argon2i       9 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
argon2id      9 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
#     Algorithm |       Key |      Encryption |      Decryption
        aes-cbc        128b      1763.9 MiB/s      6356.9 MiB/s
    serpent-cbc        128b       123.0 MiB/s       889.4 MiB/s
    twofish-cbc        128b       264.9 MiB/s       580.4 MiB/s
        aes-cbc        256b      1346.9 MiB/s      5719.4 MiB/s
    serpent-cbc        256b       123.3 MiB/s       890.0 MiB/s
    twofish-cbc        256b       265.7 MiB/s       582.2 MiB/s
        aes-xts        256b      8514.2 MiB/s      8539.6 MiB/s
    serpent-xts        256b       780.0 MiB/s       804.0 MiB/s
    twofish-xts        256b       541.8 MiB/s       545.7 MiB/s
        aes-xts        512b      8049.0 MiB/s      7993.6 MiB/s
    serpent-xts        512b       780.1 MiB/s       804.8 MiB/s
    twofish-xts        512b       541.0 MiB/s       545.6 MiB/s
$ nvme id-ns -H /dev/nvme0n1 | grep "Relative Performance"
LBA Format  0 : Metadata Size: 0   bytes - Data Size: 512 bytes - Relative Performance: 0 Best (in use)

Offline

#2 2026-03-28 09:36:07

frostschutz
Member
Registered: 2013-11-15
Posts: 1,639

Re: Encryption options for LUKS mode

Default options are good.

If you want to experiment, you can try to set the sector size to 4096 vs 512 (otherwise auto-detected). However if the partition is not multiple of 4096 bytes large, LUKS will reject the device altogether. Also something to keep in mind if you ever resize partitions.

You can check cryptsetup refresh --persistent --allow-discards --perf* options (this is something you can change anytime later, vs changing cipher settings requires reencrypt).

Offline

#3 2026-03-28 09:53:44

simonhiggs
Member
Registered: 2015-02-16
Posts: 12

Re: Encryption options for LUKS mode

Great. Thanks frostschutz.

I have...

$cryptsetup luksDump /dev/disk/by-label/dm_home|grep Flags
Flags:       	allow-discards no-read-workqueue no-write-workqueue

Simon.

Offline

Pages: 1

Board footer

Powered by FluxBB