Why should there be hardware acceleration and more crypto moduls in the kernel:
Hardware acceleration with AES-NI is 6-8 times faster. That is the case for many things like https, other SSL connections, SSH and also disk encryption. The kernel encryption/decryption implemetation is faster than just userspace software, becasue it is more optimized and using even hardware acceleration if possible, when you enable optimization/acceleration.
When the kenrel supports a more complete set of encryption, than the community is able to build addons that are using/needing the kernel crypto support.
Why would some one use disk encryption:
There are at least 2 reasons.
One is encryption at rest, so that data on the disk are encrypted and you can throw it away without thinking about the data. For HDDs you can overwrite them, when they are still working, but failed HDDs have still data and you can not properly delete them. The seconds case can be solved with a degausser, but thats about $ 20.000 (i bought 2 at work). For SSDs proper deleting through overwriting is not really possible, because of wearleveling technics of the SSD controller you will never reach all flash cells.
The 2nd one is protecting your data, because you dont want somebody to access them. But these data are only cold secure, that means if it is swicthed off nobody can access it without your password or key. I see that used more and more for portable data devices (HDD, SSD, USB Stick). Also Android does encrypt the user data by default since Android 6, when you setup a PIN or password. iPhones doing that a lot longer.
I propose to add more support for encryption and dm-crypt in the kernel. Encryption will be faster for e.g https and the community can build addons based on that.
I would also like to include cryptsetup in LE, so that it is possible to use encrypted block devices. If cryptsetup is not included i can still build a addon, when the dm-crypt kernel support is included.
With cryptsetup it is possible to use luks, loopaes, veracrypt, truecrypt encrypted devices. A veracrypt USB disc needs to be first open by cryptsetup and then you could normal mount e.g. a ntfs filesystem. There is no GUI for that in my proposal. I am not the right person to build a GUI portion for that, but with the kernel support and cryptsetup it is poosible to build a addon for that.
The kernel image is growing about 16KB on Generic x86_64 and the system image about 1.5MB (cryptsetup included).
I have now (finally) my own github account with a forked LibreELEC repo and created Pull Requests for the features, but so far only in my own repo.
For cryptsetup and dependencies:
and this wil only be build if the kernel supports CONFIG_DM_CRYPT. The next 3 PR will do that.
For the kernel modules i have covered 3 projects so far:
I am happy to provide patches for the other architectures. On Generic/RPi2 i use this every day (my LE userdata is encrypted).
If somebody wants to try, you will find my builds here HiDrive and in the noni subfolder is a version without crypto hardware acceleration. The easiest way to test ist "cryptsetup benchmark --cipher aes-xts" with and with out hw acceleration. I will also add the pure le master, so that you can see the size difference and this will be in the orig subfolder.
Thanks for reading and hopefully considering it
sky42
I will release a 6.42 with autofix for Gemini lake HDMI patch, there is already a test version since 12 days.