some food for thought on hardware acceleration and encryption

http://www.truecrypt.org/docs/?s=hardware-acceleration


On Tue, Apr 2, 2013 at 10:40 AM, Nathan England <nathan@nmecs.com> wrote:

What about using solid state drives with AES chips built in? would that remove the performance hit of a highly used server?

Would a server with several SSD's providing enough storage for the needs sufficiently handle the encryption and raid without a performance hit? Or is that not what the AES chips in the newer SSD's handle?


On 4/2/2013 9:48 AM, Paul Mooring wrote:
You could run some tests yourself, but due to the nature of encryption I
strongly suspect that the overhead added by LVM is negligible.  Encryption
is supposed to be CPU intensive, like everything else involve security
it's a tradeoff.  The most important thing to keep in mind is that you
don't need to care about CPU overhead, if it's lightly used getting your
files 0.25 seconds later and averaging 60% CPU rather than 40% just
doesn't matter.

Stepping on my soapbox for a minute here, network/server security is far
less magical than many make it out to be.  It's really up to you to
determine how much risk is involved in something and what the costs are to
mitigate that risk.  In your case if the server isn't heavily used so the
CPU overhead isn't a problem, the only cost is having to put in a password
to mount the encrypted drive.  The risk of having sensitive files makes it
a no brainer to set this up.  Contrast that to a file server being used
for just public files (say free exes and isos from the internet) that's
heavily used by an office of people.  In that case setting up encryption
is definitely more secure and also a very bad idea because the costs are
greater than the risk.

All that to say, don't pay too much attention to those numbers.  Setting
this up is pretty straightforward and moving data off the encrypted drive
is also pretty easy, so just set it up and if it works for you don't worry
about trying to squeeze that last drop of performance out until you need
to.

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss



--
A mouse trap, placed on top of your alarm clock, will prevent you from rolling over and going back to sleep after you hit the snooze button.

Stephen