What's the most secure cipher for ssh that can send files at USB3 speeds? (~480Mbps)

Question

I have a gigabit connection between my PC and my server (iperf3 tests show ~930Mbps) and I want to be able to transfer large files as fast as possible. The hard drive on the server is connected via USB3 and it is a Rock64. With ssh (I am using btrbk with ssh) I think the bottleneck is probably ssh because of high CPU usage and hot temps (~60C). I did disable compression although I think it's disabled by default (put it in ~/.ssh/config). I only got speeds of up to 350Mbps maximum but it fluctuated a lot, I don't think the Rock64 can handle the ciphers with that much data. And after a while it slowed to a crawl (less than 1Mbps) for some reason that I'm not sure of. Restarting the transfer worked. (May not be relevant to the question).

I need a cipher that can do about 480Mbps at the least. You can probably lower that number by a bit due to realistic USB3 speeds though. Not too worried about security because it is just Ethernet connections from PC > router > server but no/weak encryption would be overkill anyway. So preferably the most secure cipher that can do above speeds.

Answer 1

Every cipher can support 480Mbps - but many CPUs will be unable to perform that cipher fast enough. So what you are looking for is a fast-enough implementation for your CPU.

The chain of execution is

read from disk -> encrypt -> send over network -> decrypt -> write to disk

So first all you need to make sure, it is really the encryption that hinders you

Start with nc instead of ssh

nc -l -p 9999 > /path/to/destination/file # on the receiving side
nc -N [ip.of.receiver.pc] 9999 < /path/of/original/file # on the sending side

This will take en-/decryption out of the chain and give you an idea of the actual possible speeds.

Next check whether your sending side has hardware-accelerated encryption for some ciphers. Most likely it will not, but it's worth a try.

Trying the arcfour cipher might give you hope

Answer 2

I found an interesting cipher speed blog. It gives you an idea how to measure cipher speed without network.

for i in `ssh -Q cipher`; do dd if=/dev/zero bs=1M count=100 2> /dev/null \
  | ssh -c $i someuser@localhost "(time -p cat) > /dev/null" 2>&1 \
  | grep real | awk '{print "'$i': "100 / $2" MB/s" }'; done

So you can actually measure performance of the ciphers on your specific hardware.