Re: CVS commit: src/crypto/external/bsd/netpgp/dist

To: Simon Burge <simonb%NetBSD.org@localhost>
Subject: Re: CVS commit: src/crypto/external/bsd/netpgp/dist
From: "Perry E. Metzger" <perry%piermont.com@localhost>
Date: Sun, 10 May 2009 10:43:52 -0400

Simon Burge <simonb%NetBSD.org@localhost> writes:
> "Perry E. Metzger" wrote:
>
>> [ ... ] Encrypted swap should
>> be the default -- either using cgd or by simply encrypting the blocks as
>> they go in and out without using the cgd layer.
>
> You've benchmarked the effect of this, especially on older hardware?

No, but others have, and it is generally negligible. Why is this the
case? Well, think about it for a moment -- the time to encrypt a disk
block is a tiny fraction of the time needed to write it to disk. It is
true that on older machines there is less processor, but there is also
even less disk bandwidth. The situation is a lot worse if you're
thrashing, but of course the situation is always a lot worse if you're
thrashing.

In any case: there would clearly be a knob to this on and off, and it
can even be left off by default, at least on older ports. The problem is
this: it is a significant effort to set this up at all, so no one does
it. If it was trivial to set up, even something listed in sysinst, it
would be widely used, unlike the situation now where it is barely if
ever done.

Perry
-- 
Perry E. Metzger                perry%piermont.com@localhost

References:
- Re: CVS commit: src/crypto/external/bsd/netpgp/dist
  - From: Simon Burge

Prev by Date: Re: CVS commit: src/sys/nfs
Next by Date: Re: CVS commit: src/sys/dist/ipf/netinet
Previous by Thread: Re: CVS commit: src/crypto/external/bsd/netpgp/dist
Next by Thread: Re: CVS commit: src/crypto/external/bsd/netpgp/dist
Indexes:

Home | Main Index | Thread Index | Old Index