[opensuse-factory] time to unlock fully encrypted partition
Hi, I have a new TW installation with a 940GB encrypted root partition (including /boot, excluding /boot/efi). When starting the machine, grub asks in text mode for the passphrase. After entering the passphrase, it takes about 20s until the graphical boot screen appears. I feel this is much too long.... Has anyone a similar experience? Cheers Axel -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
W dniu 08.03.2020 o 14:10, Axel Braun pisze:
Hi,
I have a new TW installation with a 940GB encrypted root partition (including /boot, excluding /boot/efi). When starting the machine, grub asks in text mode for the passphrase. After entering the passphrase, it takes about 20s until the graphical boot screen appears.
I feel this is much too long....
Has anyone a similar experience?
Cheers Axel
This might be useful: https://unix.stackexchange.com/questions/369414/grub-takes-too-long-to-unloc... The size of disk is not important. 20 seconds is indeed too long. What CPU do you have?
On 3/8/20 8:10 AM, Axel Braun wrote:
I have a new TW installation with a 940GB encrypted root partition (including /boot, excluding /boot/efi). When starting the machine, grub asks in text mode for the passphrase. After entering the passphrase, it takes about 20s until the graphical boot screen appears.
I feel this is much too long....
Has anyone a similar experience?
Perhaps around 10 seconds, running in a KVM virtual machine. Around 1 second on a real machine. However, I am using "ext4". It is probably slower with "btrfs". I don't have "btrfs" and encryption on the same machine, but "grub" loading a menu from "btrfs" is noticeably slower than loading its menu from "ext4". -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
W dniu 08.03.2020 o 17:59, Neil Rickert pisze:
On 3/8/20 8:10 AM, Axel Braun wrote:
I have a new TW installation with a 940GB encrypted root partition (including /boot, excluding /boot/efi). When starting the machine, grub asks in text mode for the passphrase. After entering the passphrase, it takes about 20s until the graphical boot screen appears.
I feel this is much too long....
Has anyone a similar experience?
Perhaps around 10 seconds, running in a KVM virtual machine. Around 1 second on a real machine.
However, I am using "ext4". It is probably slower with "btrfs". I don't have "btrfs" and encryption on the same machine, but "grub" loading a menu from "btrfs" is noticeably slower than loading its menu from "ext4".
Filesystem is irrelevant here. Encryption is done by LUKS, which is a layer between raw block device and filesystem.
On 3/8/20 12:10 PM, Adam Mizerski wrote:
Filesystem is irrelevant here. Encryption is done by LUKS, which is a layer between raw block device and filesystem.
I thought maybe BTRFS is doing some other checks/maintenance stuff, and not necessarily encryption related. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sun, Mar 8, 2020 at 12:26 PM ITwrx <info@itwrx.org> wrote:
On 3/8/20 12:10 PM, Adam Mizerski wrote:
Filesystem is irrelevant here. Encryption is done by LUKS, which is a layer between raw block device and filesystem.
I thought maybe BTRFS is doing some other checks/maintenance stuff, and not necessarily encryption related.
No. The GRUB btrfs code is not the same as the kernel code, it's there only for reading Btrfs and isn't more complicated than GRUB md+LVM+XFS code. I see some checksumming code in GRUB btrfs.c but I can't tell if it verifies all or just some checksums, but in any case there are few small files being read, and even without hardware accelerated crc32c, it's cheap and can't account for such delays. But the GRUB crypto code is complicated, and also it's likely a RAM limited environment, where the whole point of PBKDF is to make it expensive to brute force attack the key. -- Chris Murphy -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 3/8/20 12:10 PM, Adam Mizerski wrote:
Filesystem is irrelevant here. Encryption is done by LUKS, which is a layer between raw block device and filesystem.
It depends on what you are measuring. The time until grub says "Slot 0 opened" (or similar) involves mostly encryption. The time from there until it displays the menu involves negotiating the file system. In my experience, the second time (the time for the menu to display) is longer than the time for the basic crypto (I'm not counting the time it takes to type in the encryption key). -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEv7/MJoKYXv2p0PaIZJcsjNEnCIUFAl5lgBQACgkQZJcsjNEn CIWyBggA0tPspou3eIeT/W/NYmfb0No631G18P/xopkVaaPrHhA2+WGQsD9BOSmG 6oPwn3ooy6p4lEyTabuEkQ6xKbvkZPt7wDuCFhQFZU7XWs035hQnPVK2UAMfpbQS 0IxMdj05T9l8jskS4UR8dK5AdTb9RKOiObjRWrPcPlenTprmFy7umcEWpr1I7sjv e400LYyi/xmJlCy2OpMIzjyJUx5slERDlT9zzIeSiXPmuskTrdAsIYHRYq1Z7P+j 4bHwVxdq3+8vzHazfRhxJrueIcZnrsnL7PSI2vuP4/AdG0LLstm0lkjoSZiL2yt/ ZcTiezlU3PzfzzZ+4fVFk0LbnlxHLg== =PHDr -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sun, Mar 8, 2020 at 5:30 PM Neil Rickert <nrickert@ameritech.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 3/8/20 12:10 PM, Adam Mizerski wrote:
Filesystem is irrelevant here. Encryption is done by LUKS, which is a layer between raw block device and filesystem.
It depends on what you are measuring.
The time until grub says "Slot 0 opened" (or similar) involves mostly encryption. The time from there until it displays the menu involves negotiating the file system.
In my experience, the second time (the time for the menu to display) is longer than the time for the basic crypto (I'm not counting the time it takes to type in the encryption key).
True, but I'd only expect this to be significant on large Btrfs file systems. There is a slow mount time optimization in more recent kernels, no idea if that would be useful or possible in the GRUB btrfs code. -- Chris Murphy -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 3/8/20 11:59 AM, Neil Rickert wrote:
On 3/8/20 8:10 AM, Axel Braun wrote:
I have a new TW installation with a 940GB encrypted root partition (including /boot, excluding /boot/efi). When starting the machine, grub asks in text mode for the passphrase. After entering the passphrase, it takes about 20s until the graphical boot screen appears.
I feel this is much too long....
Has anyone a similar experience? Perhaps around 10 seconds, running in a KVM virtual machine. Around 1 second on a real machine.
However, I am using "ext4". It is probably slower with "btrfs". I don't have "btrfs" and encryption on the same machine, but "grub" loading a menu from "btrfs" is noticeably slower than loading its menu from "ext4".
Yes. I have encrypted BTRFS and it is very slow (to put it in polite terms). i assumed it was all BTRFS' fault, because i am new to BTRFS. I'm coming from Arch Linux and had been using systemd-boot for a while, and didn't consider it being due to Grub and disk encryption. Now, i'm guessing it's a little of both. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (5)
-
Adam Mizerski -
Axel Braun -
Chris Murphy -
ITwrx -
Neil Rickert