Topic
  • 2 replies
  • Latest Post - ‏2014-05-22T08:14:23Z by ufa
ufa
ufa
135 Posts

Pinned topic Some Questions on Encryption

‏2014-05-21T17:09:24Z |

Hi, the advent of new features bears the potential to ask new questions :-)

Some I got WRT encryption:

1. Using AES, the data (block) volume occupied  in encrypted filesystems will not substantially increase compared to non-encrypted ones, will it? Of course there might be some effects due to padding, but as the block sizes in AES are small compared to GPFS subblock sizes, this will be negligible, correct?

2. When using encryption with small files which could otherwise be stored in inodes, AES-caused padding might reduce the number of inode-storable files, correct? Having said that, the inode space has to be shared with the File Encryption Keys, that reduces the likelihood a small file fits into the inode even with 4k inodes anyway.

3. As only data are encrypted but no metadata: will,  if encryption is on and a file can be stored in an inode, the file be encrypted, or treated as "meta data" encryption-wise and not be encrypted?

4. While this is actually a silly and unanswerable question, it has been brought up by a customer (and this species is always right): What is the performance impact of encryption in GPFS (anything from qualified guesses to sound experience or even comparing measurements is welcome)? AFAIK, the encryption/decryption is done on the node opening a file, so in GPFS client environments (using native GPFS mounts that is)  this will negligible. However, if NAS-exporting, the GPFS NAS servers can get much more load as they will have to perform the encryption/decrypotion for many clients.

5. While it is said that only data, no metadata are encrypted I have read that directory blocks are encrypted. Now, I've always assumed the directory structure to be part of the metadata so I am seeing a contradiction here - could you please resolve it?

 

5 is a nice number so I'll stop now :-)

 

ufa

Updated on 2014-05-21T17:09:54Z at 2014-05-21T17:09:54Z by ufa
  • yuri
    yuri
    210 Posts
    ACCEPTED ANSWER

    Re: Some Questions on Encryption

    ‏2014-05-21T18:18:41Z  

    > 1. Using AES, the data (block) volume occupied  in encrypted filesystems will not substantially increase compared to non-encrypted ones, will it? 

    Correct.  The number of sectors used to store a given amount of data is the same with or without encryption.

    > 2 & 3

    This is actually quite simple: if encryption is enabled for a given file, the file's data can't be stored in the inode.  The exact reasons are rather technical.

    > 4 Performance

    GPFS performance in general is a very complex topic, and the addition of encryption doesn't make it any simpler.  The only simple answer is: it depends.  For some workloads and configurations the impact of encryption is statistically negligible, e.g. sequential read/write workloads on traditional spinning disks on servers with recent Intel CPUs that have AES acceleration instructions.  In other scenarios, e.g. a busy database server with older CPUs small random DIO read/write workloads, and very fast disks, the overhead of encryption will be more visible.  We haven't seen the encryption overhead exceed low-to-mid double-digit percentage points in the worst cases in internal testing, but of course your mileage may vary.

    5. While it is said that only data, no metadata are encrypted I have read that directory blocks are encrypted.

    Not sure where you read that, but it's not true.  Directory blocks are not encrypted, at this time.  This would be a natural target for future work, but in the current 4.1 code only user file data is encrypted.

    yuri

  • yuri
    yuri
    210 Posts

    Re: Some Questions on Encryption

    ‏2014-05-21T18:18:41Z  

    > 1. Using AES, the data (block) volume occupied  in encrypted filesystems will not substantially increase compared to non-encrypted ones, will it? 

    Correct.  The number of sectors used to store a given amount of data is the same with or without encryption.

    > 2 & 3

    This is actually quite simple: if encryption is enabled for a given file, the file's data can't be stored in the inode.  The exact reasons are rather technical.

    > 4 Performance

    GPFS performance in general is a very complex topic, and the addition of encryption doesn't make it any simpler.  The only simple answer is: it depends.  For some workloads and configurations the impact of encryption is statistically negligible, e.g. sequential read/write workloads on traditional spinning disks on servers with recent Intel CPUs that have AES acceleration instructions.  In other scenarios, e.g. a busy database server with older CPUs small random DIO read/write workloads, and very fast disks, the overhead of encryption will be more visible.  We haven't seen the encryption overhead exceed low-to-mid double-digit percentage points in the worst cases in internal testing, but of course your mileage may vary.

    5. While it is said that only data, no metadata are encrypted I have read that directory blocks are encrypted.

    Not sure where you read that, but it's not true.  Directory blocks are not encrypted, at this time.  This would be a natural target for future work, but in the current 4.1 code only user file data is encrypted.

    yuri

  • ufa
    ufa
    135 Posts

    Re: Some Questions on Encryption

    ‏2014-05-22T08:14:23Z  
    • yuri
    • ‏2014-05-21T18:18:41Z

    > 1. Using AES, the data (block) volume occupied  in encrypted filesystems will not substantially increase compared to non-encrypted ones, will it? 

    Correct.  The number of sectors used to store a given amount of data is the same with or without encryption.

    > 2 & 3

    This is actually quite simple: if encryption is enabled for a given file, the file's data can't be stored in the inode.  The exact reasons are rather technical.

    > 4 Performance

    GPFS performance in general is a very complex topic, and the addition of encryption doesn't make it any simpler.  The only simple answer is: it depends.  For some workloads and configurations the impact of encryption is statistically negligible, e.g. sequential read/write workloads on traditional spinning disks on servers with recent Intel CPUs that have AES acceleration instructions.  In other scenarios, e.g. a busy database server with older CPUs small random DIO read/write workloads, and very fast disks, the overhead of encryption will be more visible.  We haven't seen the encryption overhead exceed low-to-mid double-digit percentage points in the worst cases in internal testing, but of course your mileage may vary.

    5. While it is said that only data, no metadata are encrypted I have read that directory blocks are encrypted.

    Not sure where you read that, but it's not true.  Directory blocks are not encrypted, at this time.  This would be a natural target for future work, but in the current 4.1 code only user file data is encrypted.

    yuri

    thank you.