Do Son 
DragonFlyBSD has finally received a long-awaited and noteworthy enhancement—last week, a new disk encryption module named dm_target_crypt_ng was integrated into the system. This is a reimagined version of the DM-crypt module, designed to be compatible with its Linux counterpart. The development is led by Michael Neumann, a prominent contributor to the DragonFlyBSD project.
Unlike its predecessor, the new module no longer relies on the outdated and maintenance-heavy opencrypto and cryptodev subsystems. Instead, it employs a dedicated suite of symmetric block cipher implementations, significantly simplifying the architecture and eliminating asynchronous pitfalls that previously caused system freezes and responsiveness issues.
One of the most impactful improvements lies in the enhancement of system interactivity. Under the old module, running intensive benchmarks—such as blogbench—would cause the system to “freeze,” halting mouse movement and degrading overall responsiveness. The dm_target_crypt_ng module is free from this flaw: even under heavy load, the cursor glides smoothly, and system performance remains consistent. In fact, benchmark results show slight gains—for instance, read operations increased from 200,000 to 203,000.
Technically, the module introduces a dual-thread-pool architecture, with each pool bound to a specific processor: one handles decryption (read), the other encryption (write). This design ensures a more equitable distribution of workload. Reading requires no additional memory, while writing continues to use a shared queue to encrypt data before dispatch.
Currently, the module supports only two encryption algorithms: AES-CBC and AES-XTS. Other algorithms—such as Twofish and Serpent, known for their robustness but lacking hardware acceleration—are temporarily disabled but may be reinstated if needed.
The new module is available for immediate testing. Users can enable it by adding the following line to their configuration file:
dm_target_crypt_ng_load=YES
in /boot/loader.conf. However, there’s a caveat: when using swapon, the module may not load automatically, as the utility still searches for the legacy dm_target_crypt.
Michael Neumann plans to make dm_target_crypt_ng the default and eventually retire the older module, pending further testing and community feedback. In recent days, updates have already been committed to the repository, including API refinements and reintroduction of Twofish and Serpent in both CBC and XTS modes.
DragonFlyBSD has not issued a stable release in over two years—the last being version 6.4 in 2022. One can hope this new encryption module will be part of an imminent release that consolidates the project’s many accumulated improvements.
