But I wanted to find out does using disk encryption such as LUKS impact performance only at boot or 100% of all disk activity, meaning even after boot for interactions with the operating system for running applications or executing CLI commands and so on?
I am merely looking for a boiled down answer if at all possible with a response of:
Only at boot, or
100% of the time
I am hoping it is possible to get a binary answer on this anyway.
All the time - think about it, every time you read/write to disk there’s crypto going on. AES-NI in your cpu helps a lot if you’re using a supported algo.
run cryptsetup benchmark to see the best for your cpu. i bet it’ll be aes-cbc or aes-xts 256-bit by a long way.
Thank you both, I have not done any real research on the use of LUKS but have been interested in it for quite some time. I have been learning and trying to master the concepts of PKI over the last six years.
During boot time. And his is a very good question.
Intuitively, when people hear "disk encryption " it is assumed encryption is enabled at all times. The reality is that this is true if it is a hyperconverged or hypervisor storage. Even NAS and SAN devices have this capability.
For LUKS is different.
Disk-encryption solutions such as LUKS protects the data only when your system is off.
After the system is on and LUKS has decrypted the disk, the files on that disk are available to anyone who access to them.
Now, if there is another application providing file-level encryption instead of disk-level that is a totally different scenario and you must not use LUKS in this scenario. LUKS is disk-level encryption.
I hope this helps. Check this article as reference: