I was having performance issues downloading at 1 Gbps to my fully encrypted 3500 MB/s NVMe, which left the system unresponsive for a second or two, specially with Steam that does CPU and I/O intensive tasks while downloading games, related to decompressing and shaders processing.
I found this article from Cloudflare claiming that dm-crypt queuing is an unnecessary overhead with fast storage: Speeding up Linux disk encryption
If not, the bottleneck is maybe using AES for disk encryption (it is used by default as most models have it). If the kernel cannot use a hardware-implementation (which is AES-NI), it has to fall back to a software implementation, which is a strong bottleneck (the bugzilla report below contains a comparison as example).
You can check with lscpu or lscpu | grep aes (there has to be a flag “aes”) or by checking your CPU model on the vendor website.
none, the default for NVMe, the first thing I did was trying to change it to bfq and it helped with responsiveness but decreased throughput, changing dm-crypt flags was the best solution overall
I agree. While this is just anecdata, overall performance seems to be better with the flags set, and this is especially noticeable when dnf update is installing a large package like kernel-headers.
I just added the lines to the /etc/crypttab with an Enter before.
sudo dracut --regenerate-all --force ✘ 1
dracut: Can't write to /boot/efi/762dea3743ad4b369882c46e6992d7e9/6.2.13-300.fc38.x86_64: Directory /boot/efi/762dea3743ad4b369882c46e6992d7e9/6.2.13-300.fc38.x86_64 does not exist or is not accessible.
I am on Fedora Kinoite (kinoite-main from ublue) so this will probably be different. Would just updating to a new image fix the issue, as dracut will be reloaded?
I’m currently using Silverblue and initramfs seems to be handled different, so I did this:
$ sudo dmsetup table
When the flags are enabled you’ll see allow_discards no_read_workqueue no_write_workqueue at the end, probably that’s not the case after editing crypttab. You have to copy the device name from the output, it’s in the first column luks-blablabla, then you can run: