Date: Mon, 25 Aug 2014 05:07:57 -0500 From: CyberLeo Kitsana <cyberleo@cyberleo.net> To: Scott Bennett <bennett@sdf.org>, kpneal@pobox.com Cc: freebsd-questions@freebsd.org Subject: Re: some ZFS questions Message-ID: <53FB0AFD.6010507@cyberleo.net> In-Reply-To: <201408241027.s7OARfEK004658@sdf.org> References: <201408070816.s778G9ug015988@sdf.org> <40AF5B49-80AF-4FE2-BA14-BFF86164EAA8@kraus-haus.org> <201408211007.s7LA7YGd002430@sdf.org> <20140822005911.GA52625@neutralgood.org> <201408241027.s7OARfEK004658@sdf.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/24/2014 05:27 AM, Scott Bennett wrote: > kpneal@pobox.com wrote: >> What's the harm in encrypting all the data? > > High CPU overhead for both reading and writing is the main downside. AES-NI is fully supported for recent Intel CPUs, and can achieve some pretty impressive throughputs. >> >> In fact, encrypting all data is more secure. If you only encrypt the data > > Sure, but why do it if the data don't need to be secret? Because it takes 6-8 hours to erase a 3TB hard disk; and, if the disk fails, you can't always erase it before sending it back for RMA replacement. One of the things with which I've been experimenting lately is standing encryption on my data storage pools. The intent here is not to protect the data against an attacker; rather, to ease maintenance burden. However, the details I have gathered are useful nevertheless. I'm currently running a 30TB† 10-disk zpool on a machine with a Haswell CPU and, with AES-NI, the encryption operation is faster than the throughput of all disks combined; there is no perceptible performance impact. When a disk failed recently, it was so much easier to simply destroy the key material rather than having to worry about somehow securely erasing a device that was not always responsive before shipping it back for replacement. I have a lot of failed hard drives. †Okay, only about 20TB after rounding errors, redundancy, and spare capacity; but 30TB 'raw'. -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net <CyberLeo@CyberLeo.Net> Furry Peace! - http://www.fur.com/peace/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53FB0AFD.6010507>