Full-disk encryption is one of those things everyone agrees you should run in production — right up until someone complains that their database server is dog-slow and you realize the NVMe is being choked through a software cipher. Then opinions get complicated.
The bad news: poorly configured LUKS2 absolutely will tank your I/O. The good news: on any machine with AES-NI (everything built after 2010), you can get within a few percent of bare-metal throughput if you know what you’re tuning. This article is that playbook.
We’ll go from kernel internals down to specific cryptsetup flags, cover the gotchas that burn people in production, and end with a reusable benchmark + setup script you can drop on any new server.
How dm-crypt Actually Works
Before touching any knobs, understand what’s happening at the kernel level. When you read or write a block through a dm-crypt device, execution flows like this:
userspace read(fd) →
block layer (BIO) →
device mapper target (dm-crypt) →
kernel crypto API (aead/cipher) →
CPU registers or AES-NI hardware unit →
plaintext/ciphertext →
underlying block device (NVMe, SATA, whatever)
dm-crypt is a device-mapper target — it intercepts block I/O, hands it to the kernel’s crypto subsystem, and passes the transformed blocks down. The crypto API can dispatch to software implementations or hardware accelerators (AES-NI, ARMv8 crypto extensions, etc.) transparently.
LUKS2 is the on-disk format that sits on top of dm-crypt. It stores the volume key (encrypted with your passphrase) in a JSON-based header, supports multiple keyslots, and handles key derivation. dm-crypt doesn’t know or care about LUKS — it just consumes a key. LUKS2 is responsible for getting that key from your passphrase to dm-crypt.
This distinction matters for tuning: dm-crypt performance (I/O throughput) and LUKS2 unlock time (key derivation) are separate problems with separate knobs.
Step 0: Check You Actually Have Hardware Acceleration
This is the first thing you verify. Every other optimization is noise if you’re running software AES.
# Check for AES-NI
grep -m1 -o 'aes\|avx\|avx2' /proc/cpuinfo | head -5
# Check which crypto implementations the kernel is actually using
cat /proc/crypto | grep -A5 'name.*aes'
# The definitive test: look for "(aes-aesni)" in the output
cryptsetup benchmark --cipher aes-xts
On a machine with AES-NI, the cryptsetup benchmark line for aes-xts-plain64 with 256-bit keys should show somewhere north of 2–4 GB/s per core. If you’re seeing 200–400 MB/s, the hardware path isn’t engaged — keep reading.
# Force-load the AES-NI kernel module
modprobe aesni_intel # x86
modprobe aes_ce # ARM
Add aesni_intel to /etc/modules or a .conf file under /etc/modules-load.d/ so it persists. On most distros it loads automatically, but on minimal server images it sometimes doesn’t.
Step 1: Cipher Selection — Stop Using the Wrong Default
cryptsetup historically defaulted to aes-xts-plain64 with a 256-bit key. That’s actually fine — XTS is the right mode for disk encryption and 256-bit AES is the correct call. What people get wrong is the hash algorithm for key derivation and the PBKDF.
Here’s how to set up a new LUKS2 volume with sane production defaults from day one:
# Create a new LUKS2 container on a block device or image file
# Replace /dev/nvme0n1p2 with your actual partition
cryptsetup luksFormat \
--type luks2 \
--cipher aes-xts-plain64 \
--key-size 512 \ # 512-bit key = two 256-bit AES-XTS subkeys
--hash sha256 \
--pbkdf argon2id \
--pbkdf-memory 524288 \ # 512 MiB RAM for KDF (adjust to your RAM headroom)
--pbkdf-parallel 4 \ # number of threads for Argon2
--pbkdf-force-iterations 4 \ # iteration count; tune with benchmark below
--sector-size 4096 \ # match your drive's physical sector size
--label "data-crypt" \
/dev/nvme0n1p2
Why --key-size 512? XTS mode splits the key in half — 512-bit input means two 256-bit AES subkeys. Don’t use 256-bit key-size with XTS; that gives you two 128-bit subkeys, which is weaker than you think.
Why --sector-size 4096? Most modern NVMe drives use 4 KiB physical sectors. Matching this avoids read-modify-write amplification on every write. A mismatch can silently cut write performance by 30–50%. Check your drive’s physical sector size with blockdev --getpbsz /dev/nvme0n1.
Step 2: Argon2id KDF Tuning
LUKS2’s default PBKDF is Argon2id, which is the right choice — it’s memory-hard and resistant to GPU cracking. But the defaults are often miscalibrated for your specific server.
The goal: make the KDF take roughly 2 seconds on unlock on your hardware, while using as much RAM as you can spare without OOM-killing services during a reboot.
# Let cryptsetup benchmark your hardware and suggest parameters
cryptsetup benchmark --pbkdf argon2id
# Or do it interactively — cryptsetup will auto-tune for 2s target
cryptsetup luksChangeKey --pbkdf argon2id --pbkdf-memory 524288 /dev/nvme0n1p2
For automated/headless servers that decrypt on boot via a keyfile (no passphrase typed by a human), you can crank up the memory cost significantly — 1–2 GiB is reasonable if you have the RAM. The unlock time matters for human UX, not for script-based unlocks.
# Check what KDF params are currently on your volume
cryptsetup luksDump /dev/nvme0n1p2 | grep -A 20 "Keyslot 0"
You’ll see output like:
PBKDF: argon2id
Time cost: 4
Memory: 524288
Threads: 4
For a server that boots unattended from a keyfile stored on a TPM or a USB drive, you could push --pbkdf-memory to 2097152 (2 GiB) and --pbkdf-parallel to match your core count. This makes offline brute-force attacks significantly more expensive.
Step 3: dm-crypt Kernel Flags and the Read-Ahead Trap
Opening the LUKS volume for use:
# Basic open
cryptsetup open /dev/nvme0n1p2 data-crypt
# The device is now at /dev/mapper/data-crypt
# Mount it however you like: ext4, XFS, Btrfs, LVM-on-top, whatever
But cryptsetup open has additional flags that significantly affect performance:
# Open with explicit performance options
cryptsetup open \
--perf-no_read_workqueue \ # bypass dm-crypt's async read queue
--perf-no_write_workqueue \ # bypass dm-crypt's async write queue
--perf-same_cpu_crypt \ # encrypt/decrypt on the CPU that submitted the I/O
/dev/nvme0n1p2 data-crypt
The workqueue story is important. dm-crypt historically ran all crypto operations through a kernel workqueue — essentially offloading encryption to a thread pool. This was added to avoid blocking I/O paths, but it introduces latency and CPU context-switching overhead on modern hardware where AES-NI is fast enough that the offload is pure overhead.
Since kernel 5.9+, you can tell dm-crypt to do the crypto inline (same CPU, no workqueue). On NVMe + AES-NI systems this is almost always faster. On systems with slow software AES, the workqueue can help because it allows parallelism. Test both on your hardware.
# To apply these flags to an already-open device without closing it:
cryptsetup refresh \
--perf-no_read_workqueue \
--perf-no_write_workqueue \
/dev/mapper/data-crypt
For systemd-based setups, put this in /etc/crypttab:
# /etc/crypttab
# name device keyfile options
data-crypt /dev/nvme0n1p2 none luks,no-read-workqueue,no-write-workqueue,same-cpu-crypt
The option names in crypttab drop the --perf- prefix and the double dash.
Step 4: Filesystem and I/O Scheduler Alignment
The encrypted block device is now a normal block device from the filesystem’s perspective. But a few things deserve attention:
Filesystem creation — align to the LUKS sector size:
# For XFS (recommended for databases and high-throughput workloads)
mkfs.xfs -s size=4096 /dev/mapper/data-crypt
# For ext4
mkfs.ext4 -b 4096 /dev/mapper/data-crypt
# For Btrfs
mkfs.btrfs --sectorsize 4096 /dev/mapper/data-crypt
I/O scheduler: NVMe drives should use none (no scheduler). SATA SSDs are often fine with mq-deadline or none. Spinning disks usually prefer mq-deadline or bfq. Setting the scheduler on the underlying device is what matters — the dm-crypt layer doesn’t have its own scheduler.
# Check current scheduler
cat /sys/block/nvme0n1/queue/scheduler
# Set it
echo none > /sys/block/nvme0n1/queue/scheduler
# Persist via udev rule in /etc/udev/rules.d/60-ioscheduler.rules:
# ACTION=="add|change", KERNEL=="nvme[0-9]*", ATTR{queue/scheduler}="none"
Read-ahead: dm-crypt devices inherit read-ahead from the underlying device. For sequential-heavy workloads (media, backups), you can bump it:
blockdev --setra 8192 /dev/mapper/data-crypt # 4 MiB read-ahead
Step 5: The Benchmark Script
Here’s a repeatable benchmark to run before and after changes. Save it as bench-crypt.sh:
#!/usr/bin/env bash
# bench-crypt.sh — dm-crypt throughput and latency benchmark
# Run as root. Requires fio and cryptsetup.
set -euo pipefail
DEVICE=${1:-/dev/mapper/data-crypt}
RUNTIME=30
echo "=== Cipher benchmark (CPU caps) ==="
cryptsetup benchmark
echo ""
echo "=== Sequential throughput (fio) ==="
fio --name=seq-read \
--filename="$DEVICE" \
--rw=read \
--bs=1M \
--direct=1 \
--numjobs=4 \
--iodepth=32 \
--runtime=$RUNTIME \
--time_based \
--group_reporting \
--output-format=terse | awk -F';' '{print "READ: "$7" KB/s"}'
fio --name=seq-write \
--filename="$DEVICE" \
--rw=write \
--bs=1M \
--direct=1 \
--numjobs=4 \
--iodepth=32 \
--runtime=$RUNTIME \
--time_based \
--group_reporting \
--output-format=terse | awk -F';' '{print "WRITE: "$48" KB/s"}'
echo ""
echo "=== Random 4K IOPS ==="
fio --name=rand-rw \
--filename="$DEVICE" \
--rw=randrw \
--bs=4k \
--direct=1 \
--numjobs=8 \
--iodepth=64 \
--runtime=$RUNTIME \
--time_based \
--group_reporting \
--output-format=terse | awk -F';' '{
printf "READ IOPS: %s | WRITE IOPS: %s | READ LAT(us): %s | WRITE LAT(us): %s\n",
$8, $49, $40, $81
}'
Run this against the raw block device, then against the dm-crypt device, and compare. On a well-tuned system with AES-NI, the overhead should be under 5% for sequential and under 10% for random I/O.
Gotchas
Gotcha #1 — LUKS2 header loss = total data loss. The LUKS2 header lives in the first few megabytes of the device. One bad dd, one mispartitioned drive, one accidental format — and you’ve lost access to everything. Back up the header:
cryptsetup luksHeaderBackup /dev/nvme0n1p2 \
--header-backup-file /secure/backup/nvme0n1p2.luks2.header.bak
Store this off the encrypted device, obviously. This file, combined with your passphrase or keyfile, can recover the volume from a corrupted or overwritten header.
Gotcha #2 — Swap and hibernate. If you have an unencrypted swap partition and you use hibernate, your RAM (including the plaintext of your "encrypted" data) gets written to disk unencrypted. Either encrypt swap too (/etc/crypttab with swap option), or disable hibernate, or use a LUKS2 swap partition. Don’t half-do it.
Gotcha #3 — --sector-size mismatches and silent perf kills. If you create a LUKS2 volume with --sector-size 512 on a drive with 4 KiB physical sectors, every 4 KiB write from the filesystem becomes four 512-byte encrypted sectors. This works but is measurably slower and generates more write amplification. Always check blockdev --getpbsz before formatting.
Gotcha #4 — The "no_read_workqueue" flag isn’t persistent by default. If you set --perf-no_read_workqueue at open time but you’re not using a crypttab option or a systemd unit that passes it, a reboot (or a systemctl restart of whatever opened the volume) will silently revert to workqueue mode. Verify after every reboot with:
dmsetup table /dev/mapper/data-crypt | grep no_read_workqueue
Gotcha #5 — Argon2id memory cost vs. early-boot RAM. If your initramfs/initrd is unlocking the LUKS volume during boot, the available RAM at that point is lower than on a fully-booted system. With --pbkdf-memory 2097152 (2 GiB), you might get OOM errors during boot on a machine with 4 GB RAM, because the initramfs hasn’t set up swap yet. Size your KDF memory cost to a fraction (≤25%) of your system’s total RAM, with the initramfs environment specifically in mind.
Gotcha #6 — Discard/TRIM leaks metadata. Passing --allow-discards to cryptsetup open (or using the discard mount option) allows TRIM commands to pass through the crypto layer to the underlying SSD. This can improve SSD lifespan and performance but leaks information: an observer watching the disk can see which sectors are in use vs. free, which can reveal filesystem structure or even content patterns. For threat models where physical device inspection is a risk, don’t use discard on encrypted volumes.
Production Setup: Automated Unlock with a TPM2 Keyfile
For servers that need to reboot unattended but where you want the key tied to hardware state:
# Install clevis and the TPM2 tools
apt install clevis clevis-luks clevis-tpm2 initramfs-tools
# Bind a LUKS2 slot to TPM2 PCR state
# PCRs 0,1,2,3 cover firmware + boot config
# PCR 7 covers Secure Boot state
clevis luks bind -d /dev/nvme0n1p2 tpm2 \
'{"pcr_bank":"sha256","pcr_ids":"0,1,2,3,7"}'
# Rebuild initramfs so the unlock hook is included
update-initramfs -u -k all
This binds a new LUKS2 keyslot to the TPM’s Platform Configuration Registers. If the firmware, boot order, or Secure Boot state changes, the TPM refuses to unseal the key and the server won’t boot unattended — exactly the behavior you want. An attacker who pulls the NVMe and puts it in a different machine can’t decrypt it.
The passphrase-based keyslot stays active as a recovery path. Keep that passphrase in a hardware password manager, not on the server.
Pulling It All Together
Here’s a condensed "do it right the first time" checklist:
- Verify
aesni_intelis loaded and/proc/cryptoshows hardware AES - Format with
--sector-size 4096matching your drive’s physical sector size - Use
--key-size 512withaes-xts-plain64(two 256-bit subkeys) - Set Argon2id memory cost to ≤25% of RAM, targeting 2s unlock on your hardware
- Open with
--perf-no_read_workqueue --perf-no_write_workqueueif kernel ≥5.9 - Match filesystem block size to LUKS sector size
- Set NVMe I/O scheduler to
none - Back up the LUKS header to offline storage
- Consider TPM2 binding for unattended server reboots
- Decide explicitly on TRIM: performance vs. metadata leakage tradeoff
With all of this in place, a modern server with NVMe and AES-NI runs encrypted storage at effectively line rate. The "encryption costs 30%" story is a decade out of date — it’s a config problem, not a hardware problem.
For further reading, the authoritative reference is the cryptsetup FAQ on gitlab.com/cryptsetup/cryptsetup and the kernel documentation under Documentation/admin-guide/device-mapper/dm-crypt.rst. The dm-crypt source itself is readable — drivers/md/dm-crypt.c in the kernel tree — if you want to understand exactly when the workqueue decision is made and what same_cpu_crypt changes at the BIO submission level.