Doing encryption on the fly, on an entire filesystem for instance can be a very intensive process and bound by the CPU’s ability to decrypt or encrypt during reads and writes. I’ve run into just such a situation where disks are idle awaiting data to be encrypted. I encountered disk performance of roughly 300M/s writes on an unencrypted volume and roughly 100M/s when encryption was enabled. Not to mention a nearly %50 decrease in IOPS when using iometer for performance testing. Fortunately, with the correct hardware there is hope for a major improvement in performance by way of Intel’s Westmere CPU hardware accelerated AES instruction set called AES-NI.
The instructions were designed to implement some of the complex and performance intensive steps of the AES algorithm using hardware and thus accelerating the execution of the AES algorithms. AES-NI can be used to accelerate the performance of an implementation of AES by 3 to 10x over a completely software implementation.
The AES-NI ecosystem is growing and patches exist for openssl among other tools and I would expect more support to be available soon.
If you are using existing crypto libraries that provide the crypto functionalities including AES, all you need to do is recompile your applications to include the latest libraries.