Simply put, encryption is computationally expensive and without hardware acceleration, performance goes into the tank. This is especially true with storage systems where encryption technology is used to encrypt and decrypt every single I/O to the appliance.
One way to increase storage performance is by using Intel’s AES-NI (Advanced Encryption Standard New Instructions) processors. Released in 2010 with the Intel’s Westmere series of processors AES-NI added 6 new instructions to the CPU instruction set to accelerate the computationally expensive process of encrypting and decrypting data. Test show that using AES-NI results in a 3 to 10x performance improvement over software-only implementations.
The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001 and is the most popular cryptographic, symmetric encryption algorithm in the IT world. It was adopted by the U.S. government in 2002 and approved to protect classified data in 2003.
The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into its original form, called plaintext. The algorithm specified in this standard may be implemented in software, firmware, hardware, or any combination thereof.
AES-NI and QuantaStor SDS
In our testing using AES-NI for Full Disk Encryption (FDE) with the dm-crypt driver on Linux, we found storage read/write performance was 7.5 to 10x times faster versus software-only encryption when the AES-NI support turned off. To put that into numbers, we saw software encryption deliver about 150MB/sec in read and write performance versus 1125MB/sec with AES-NI enabled. Without AES-NI, adding encryption into a system can so drastically impact performance that alternatives must be found.
By default, QuantaStor enables AES-NI encryption by automatically invoking the driver at bootup up via the Linux OS. To verify support for AES-NI, run the following command in the QuantaStor CLI:
Figure 1 shows the command and AES-NI enabled and running on the QuantaStor appliance.
Categories: Security, Storage Appliance Hardware
Leave a Reply