From owner-freebsd-questions@FreeBSD.ORG Mon Aug 25 10:16:04 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6655A8DC for ; Mon, 25 Aug 2014 10:16:04 +0000 (UTC) Received: from mail.cyberleo.net (paka.cyberleo.net [216.226.128.180]) by mx1.freebsd.org (Postfix) with ESMTP id 425013923 for ; Mon, 25 Aug 2014 10:16:03 +0000 (UTC) Received: from [172.16.44.4] (vitani.den.cyberleo.net [216.80.73.130]) by mail.cyberleo.net (Postfix) with ESMTPSA id 5E13F13654; Mon, 25 Aug 2014 06:07:58 -0400 (EDT) Message-ID: <53FB0AFD.6010507@cyberleo.net> Date: Mon, 25 Aug 2014 05:07:57 -0500 From: CyberLeo Kitsana User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: Scott Bennett , kpneal@pobox.com Subject: Re: some ZFS questions References: <201408070816.s778G9ug015988@sdf.org> <40AF5B49-80AF-4FE2-BA14-BFF86164EAA8@kraus-haus.org> <201408211007.s7LA7YGd002430@sdf.org> <20140822005911.GA52625@neutralgood.org> <201408241027.s7OARfEK004658@sdf.org> In-Reply-To: <201408241027.s7OARfEK004658@sdf.org> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Aug 2014 10:16:04 -0000 On 08/24/2014 05:27 AM, Scott Bennett wrote: > kpneal@pobox.com wrote: >> What's the harm in encrypting all the data? > > High CPU overhead for both reading and writing is the main downside. AES-NI is fully supported for recent Intel CPUs, and can achieve some pretty impressive throughputs. >> >> In fact, encrypting all data is more secure. If you only encrypt the data > > Sure, but why do it if the data don't need to be secret? Because it takes 6-8 hours to erase a 3TB hard disk; and, if the disk fails, you can't always erase it before sending it back for RMA replacement. One of the things with which I've been experimenting lately is standing encryption on my data storage pools. The intent here is not to protect the data against an attacker; rather, to ease maintenance burden. However, the details I have gathered are useful nevertheless. I'm currently running a 30TB† 10-disk zpool on a machine with a Haswell CPU and, with AES-NI, the encryption operation is faster than the throughput of all disks combined; there is no perceptible performance impact. When a disk failed recently, it was so much easier to simply destroy the key material rather than having to worry about somehow securely erasing a device that was not always responsive before shipping it back for replacement. I have a lot of failed hard drives. †Okay, only about 20TB after rounding errors, redundancy, and spare capacity; but 30TB 'raw'. -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net Furry Peace! - http://www.fur.com/peace/