Comment Re:That's what people don't seem to understand (Score 1) 118
That's nice if you have a selected Intel chip, but many sold today lack such modern extensions, including the i3 you mention.
For the rest, it would great if SSH supported high-speed software crypto like Salsa20 or the improved ChaCha variant. Even on my ancient Athlon 64 fileserver, Salsa20/8 and ChaCha8 would give me perfectly usable crypto at < 5 cycles/byte. That is roughly 400MB/s, and modern chips get closer to 2 cycles/byte and at twice the clock rate with more cores. At this point, aggregate crypto performance is several GB/s, and hardware AES is basically unnecessary.
Unfortunately, I'm stuck with AES which is slow as hell. Or AES-XTS on disk, which is even worse. The Salsa20 key/iv setup is virtually free, and while it is not suited to generic block crypto, it would be perfect for an encrypting filesystem. (XSalsa20 affords 24 bytes of nonce within which to put a transaction# + disk ID + block# avoiding all the expense of a mode like XTS.)