Mobile Ivy Bridge, encrypted Btrfs, and Boxes launch time... oof!

TL;DR; I like Btrfs + encryption, but Boxes is slow on an SSD. Any tips getting virtualization launch time down while staying secure?

First off, kudos to Fedora and especially Silverblue team!

I’m evaluating Silverblue for a home lab (3D CAD/printing) and I figured the most degenerate use case I could think of was Visual Studio Code, running as a snap, running under Ubuntu, running under Boxes. Setup under Boxes was fast and simple, and once vscode launched it was reasonably responsive considering how many layers of sandboxing involded.

Silverblue feels stable, GTK4 apps are snappy, GTK3 apps aren’t jank, hardware works out of the box, yet I get some gnarly Welcome to the Future vibes seeing a container desktop just work on an early model Chromebook.

I’m trying out Silverblue 34 Beta on the following:

Highlights: Intel Celeron 1007U - Supports Vulkan, but only on Mesa

Launch times is where things fell apart. From Ubuntu up and running, opening code takes 30 to 40 seconds on a SATA 3.0 SSD. Granted once code is up and running you can live in it.

Having done a bit of research it looks like my combination of non AES processor,CoW and virtualization is leading to the performance characteristics.

So I did some basic dd testing with current rpm-ostree update, default partitioning, encryption:

1 GiB dd test is ~ 35 MiB/s write , ~ 58 MiB/s read.

For science I secure erased the hard drive and tried again with unecrypted XFS partition with nothing on it on the same SSD:

1 GiB dd test is ~ 225 MiB/s write , ~ 265 MiB/s read.

Ouch, I was expecting a hit in throughput, and I know comparing crypt vs nocrypt is unfair, but this was surprising. Everything launches quicker, in particular GNOME OS Nightly under Boxes… everything from boot times to app launch feels native or near-native in latency. I don’t know how them folks do it.

Now I’m sold on Silverblue, I will be installing it on 420. Problem now is choosing between speed and security. Nothing I create is going to be proprietary, but not encrypting that beautiful black rugged Thinkpad seems wrong.

1 Like

You are using LUKS encryption with Btrfs on top, right? If that is the case then likely you are experiencing LUKS ‘hide’ the fact the disk is an SSD, so it is not being treated as such.

Check the output of this command:

cat /proc/mounts | grep ssd

If it comes up empty then you need to remount your filesystem with the ‘ssd’ option.

I reformatted since then, but I was on the default Anaconda installer options of Storage Configuration > Automatic and Encryption > Encrypt my data.

So now that 34 is out, I’ve decided to stick with btrfs. After doing some more research, I found this LWN article about Adiantum encryption for devices without hardware AES-NI support:

Adiantum: encryption for the low end

Additionally, I discovered it’s been possible to re-encrypt a mounted LUKS volume for almost a decade:

Milan Broz’s blog: Re-encryption of LUKS device (cryptsetup-reencrypt tool)

So I entered the command:

$ sudo cryptsetup reencrypt -c xchacha12,aes-adiantum-plain64 /dev/<device>

And 10 minutes later I had faster encryption!