Protection of data at rest is possible in a few different ways. LUKS encryption, hardware RAID controllers with encryption and SED disks (self encrypting drives) to name a few. Here at Aeon we do *a lot* of ZFS and ZFS is happiest when it is configured to interface directly with disk drives and without a hardware RAID controller in the mix. Doing encryption of data at rest in a ZFS configuration that directly interfaces disk drives requires implementing LUKS or SED drives. This benchmark compares two identical ZFS file systems with identical underlying zpool vdevs, one utilizing standard SAS disk drives and the other utilizing SED SAS disk drives running in encrypted mode.
The SED SAS disk drives are TCG-FIPS certified drives. Specifically the drives meet the Opal-Enterprise specification from Trusted Computing Group and also comply with the US Government’s FIPS specification for encryption. For enterprise-grade drive encryption TCG-FIPS is currently the gold standard for encryption of data at rest on a disk drive.
There are two identical ZFS file systems in this comparison; Dark Helmet and Lone Starr. If you’re catching a Spaceballs vibe here you’re not mistaken.
Dark Helmet: Four 8TB HGST He10 Helium 7200 RPM 12Gb SAS disk drives, 2+2 raidz2 zpool, compression=off, atime=off, checksum=on
Lone Starr: Four 8TB HGST He10 Helium 7200 RPM TCG-FIPS 12Gb SAS disk drives, 2+2 raidz2 zpool, compression=off, atime=off, checksum=onDark Helmet is standard with no encryption. Lone Starr is the same as Dark Helmet but is using TCG-FIPS self-encrypting drives (SED)
Like the air shield in Spaceballs, SED drives have a combination lock of sorts. SED drives require configuration with a unique private password that gets merged with the drive’s internal salt and a new unique key is created and it resides in volatile memory in the drive’s protected area. This is the encryption key for the data when written to media. When the drive is powered off or removed from its chassis the key is gone and the data on disk is unreadable. Power on or reinsert the drive into the system, write the same unique password to the drive and your data is unencrypted on the fly. The process does not decrypt the data on the entire drive, or re-encrypt it. It stays encrypted on disk and when given the proper key is decrypts on the fly when read by the host and new data written is written to media encrypted on the fly. A block range must also be defined on the drive that will fall under the encrypted data model. In this case I used an encryption password of ‘usetheschwartz’ and defined the entire block range of the drive for encryption mode. This process was duplicated on the other three drives comprising the Lone Starr zpool and file system. The following is a response from the drive when queried as to its secure mode status. The drive has been unlocked (Locked = N) and locking mode and media encryption are enabled (LockingSupported = Y) and (MediaEncrypt = Y).
Locking function (0x0002) Locked = N, LockingEnabled = Y, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y
We now have two operational ZFS file systems to benchmark, the unencrypted Dark Helmet and TCG-FIPS encrypted Lone Starr.
The benchmark system is an Aeon Computing Eclipse HA-324 with two Intel Xeon E5-2637 v4 processors, 128GB of DDR4-2400 RAM and Intel/Avago 12Gb SAS host bus adapters. The operating system is CentOS 7.2 and ZFS v0.6.5.8-1 is installed.
I used fio for the benchmark process. The fio benchmark runtime configuration was:
size=256g, bs=1m, ioengine=libaio, iodepth=1, ramp_time=15
In the graph below you will see the two benchmarked ZFS file systems tracked very closely on write performance, averaging 641.8MB/second. Pretty good for a four drive raidz2 pool considering each drive has a media transfer rate of 225MB/second. I re-ran the benchmark over a dozen times and the two pools took turns being the slightly faster of the two. As you can see in the benchmark graph the TCG-FIPS encrypted drives suffer no performance degradation compared to the non-encrypted drives. TCG-FIPS drives can be used in place of standard SAS enterprise disk drives with no performance hit. But what about the reads?
In the graph below you will see the two benchmarked ZFS file systems tracked very closely on read performance as well. An average of 741.9MB/second. As you can see in the benchmark graph the TCG-FIPS encrypted drives suffer no read performance degradation compared to the non-encrypted drives.
In this case real world testing matches the product vendor sales literature. The use of TCG-FIPS hard disk drives imposes no identifiable performance penalties. Many secure facilities with important data protect their data with high walls and men with guns. If you have a need for protection of data at rest and cannot afford a high wall and men with guns then using SED (self-encrypting drive) disk drives like the HGST Ultrastar He10 TCG-FIPS in storage solutions from Aeon Computing can bring data-at-rest piece of mind to your data resource.