11
Posted by alex on Feb 1st, 2013

This post will expose benchmarks I've ran on Windows 7 Pro running a mSata M4 SSD. Full disk encryption is accomplished with DiskCryptor 1.0.757.115 and TrueCrypt 7.1a. If you don't care about my intro, jump to the pictures!

For a few years I've seen a lot of disinformation regarding SSD software encryption on the Internet. So let's make it clear:

  • Yes, wear leveling might expose unencrypted data on the drive, that is why it is important to encrypt the drive before moving secure data to it.
  • No, encryption will not shorten the useful life of the drive. Traditionally, the operating system works at the sector level. Change one single bit and the whole sector needs to be rewritten. A sector is usually 512 bits. Encryption is usually performed on blocks ranging from 128 to 512 bits.
  • Yes, hibernation time will suck big time. With both tools.
  • Bonus: You'll be disappointed if you buy a Sandforce based ssd hoping to get announced performance. Sandforce compresses data to achieve its impressible performance. Sadly encryption is incompressible.

I found two issues in DiskCryptor: Its filter driver approach breaks Resmon disk access monitoring, and encrypted hard drives never spin down. I've reported these in 2008 and it's not yet fixed (if fixable). Also the author use lowercase "mb" "gb" while it's "MB" "GB". Nitpicking, but the guy is supposedly knowledgeable about disk drivers and cryptography...

Test protocol:

  1. The SSD is installed in the mSata port (only sata II) of a Thinkpad x220 i7 and it has been filled with random data to make sure all sector were written to at least once.
  2. Windows 7 Pro was installed on the SSD.
  3. Superfetch, Windows Search, Media streamer, and Defragmenter were disabled.
  4. SSD optimizations were enabled in both encryption software.
  5. I've in turn encrypted and decrypted the ssd with truecrypt and diskcryptor using hardware accelerated AES.

The benchmarks were done with AS SSD Benchmark 1.7.4739 because it is file based, directly testing the underlying encryption.

Each benchmark was ran three times, with reboot between each run. For this post, I picked only the best performance in each category because the results were very consistent with a difference of at most 5%.

 

No encryption

No encryption-2

TrueCrypt

truecrypt-3

DiskCryptor

DiskCryptor-1

As we can see DiskCryptor is pretty darn close to native performance while TrueCrypt doesn't scale very well to threaded random accesses. With both results you'd get that snappy feeling typical for SSDs, but for certain applications DiskCryptor certainly has an edge.

11 comments
Commentaires
avatar
According to your tests, DiskCryptor would be faster than unencrypted.

I think you should test again more carefully, as these results seem questionable.
avatar
alex
Administrateur
In my opinion that is normal variation because diskcryptor is basically the same speed as unencrypted.

In some runs diskcryptor was faster, in others unencrypted was faster.

But if you have similar benchmarks that contradict my findings to propose, I will gladly add them to my post.
avatar
Did the drive encryption include the 100mb reserved partition that Windows 7 creates or did you just make a single partition before installing Windows?
avatar
alex
Administrateur
I made a single partition.
avatar
I have had similar results using this same software. Diskcryptor seems to walk all over Truecrypt. It makes me wonder if Diskscryptor is actually doing its job properly. Yes, DC is faster but TC is more reassuring.
avatar
alex
Administrateur
They use different approach for their drivers. Diskcryptor declares itself as a filter to Windows and it just sits between windows and the hard drive. Truecrypt seems a bit more complex. For normal volumes they use a virtual drive approach but I do not know if it is the same for FDE. Diskcryptor also did further development for SSD optimizations, there were several patches submitted through its forum.

That being said I completely agree with you, Truecrypt is well known and relatively trusted. I spent much time trying to find arguments to convince myself to go one way or another, but I found mostly hear-says.

Truecrypt partitions have the advantage of being easily salvageable because of its compatibility with Linux and the broad availability of live distributions.

I guess I'll see which of my laptops, Truecrypt or Diskcryptor, will be cracked first should I ever be in big trouble with the government :P.
avatar
FWIW, my results with AA SSD are (read/write/total):

Unencrypted: 214/104/419
Truecrypt: 55/55/104
Diskcryptor: 163/113/358
Symantec/PGP: 144/106/325

Obviously there are too many variables but the general picture stays the same. You will see that Symantec/PGP falls between DC and TC; the figures for TC really are very poor indeed. Furthermore, I trust the PGP product as a large team is involved in engineering it and I doubt a big name such as Symantec could risk the publicity of having flaws or backdoors in their software!
avatar
I bet that decrypting DiskCryptor partion, is fast as using it as encrypted. It wouldn't make sense otherwise. There's also BIOS exploits for DiskCryptor, so enjoy yourself being unsafe. TrueCrypt is trusted, and decrypting TrueCrypt is going to take years even for 5-10 NASA's super computers.
avatar
alex
Administrateur
If you are talking about the BIOS buffering keyboard input during pre-boot auth, it has been fixed in DiskCryptor 0.3 5 years ago. By the way the issue was also present in TrueCrypt up to version 5.0.
avatar
Sorry old post you'll prob never see but.... Do these results rely on having an AES-NI processor? Or is it that fast with a regular Non AES-NI processor?
avatar
alex
Administrateur
Hello Guest,
That is correct, those tests were made on a computer with AES-NI enabled.
I have to agree it would've been nice to compare the "raw" algorithm used by each encryption program. Maybe I'll run a new set of tests some day :)
Connectez-vous ou postez en tant qu'invité:
Your Name Your Email


Vérification: 0580
Go to Top